diff options
author | Werner Lemberg <wl@gnu.org> | 2015-10-08 21:31:57 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2015-10-08 21:31:57 +0200 |
commit | 06c2d3324e8a8dbe153d51129adadd8d8eb4f834 (patch) | |
tree | 57a88064a3b5d1fd9f1de985b46b49b38469e6d4 /src/type42 | |
parent | 983b00ec8667baf6cd6b23c420d94c681ffd2ec4 (diff) | |
download | freetype2-06c2d3324e8a8dbe153d51129adadd8d8eb4f834.tar.gz |
[type42] Protect against invalid number of glyphs (#46159).
* src/type42/t42parse.c (t42_parse_charstrings): Check number of
`CharStrings' dictionary entries against size of data stream.
Diffstat (limited to 'src/type42')
-rw-r--r-- | src/type42/t42parse.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index 003b63ed7..a32d496af 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -795,6 +795,17 @@ error = FT_THROW( Invalid_File_Format ); goto Fail; } + + /* we certainly need more than 4 bytes per glyph */ + if ( loader->num_glyphs > ( limit - parser->root.cursor ) >> 2 ) + { + FT_TRACE0(( "t42_parse_charstrings: adjusting number of glyphs" + " (from %d to %d)\n", + loader->num_glyphs, + ( limit - parser->root.cursor ) >> 2 )); + loader->num_glyphs = ( limit - parser->root.cursor ) >> 2; + } + } else if ( *parser->root.cursor == '<' ) { |