[winfnt] Fix Savannah bug #41694.

* src/winfonts/winfnt.c (FNT_Load_Glyph): Check glyph offset.
author: Werner Lemberg <wl@gnu.org> 2014-02-26 18:12:36 +0100
committer: Werner Lemberg <wl@gnu.org> 2014-02-26 18:12:36 +0100
commit: eee4ff8d5aff07a073d6b5721a00eb0eb7715c5e (patch)
tree: c896fb0f563615101ef66506627d23d5912d9cab /src/winfonts
parent: 08c628d128e6fba3a7a7be610d459b0d7f556f07 (diff)
download: freetype2-eee4ff8d5aff07a073d6b5721a00eb0eb7715c5e.tar.gz
1 files changed, 15 insertions, 5 deletions
diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
index fd6fc557f..e9c1a9b5f 100644
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    FreeType font driver for Windows FNT/FON files                       */
 /*                                                                         */
-/*  Copyright 1996-2004, 2006-2013 by                                      */
+/*  Copyright 1996-2004, 2006-2014 by                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*  Copyright 2003 Huw D M Davies for Codeweavers                          */
 /*  Copyright 2007 Dmitry Timoshkov for Codeweavers                        */
@@ -977,7 +977,7 @@
 
     font = face->font;
 
-    if ( !font ||
+    if ( !font                                                   ||
          glyph_index >= (FT_UInt)( FT_FACE( face )->num_glyphs ) )
     {
       error = FT_THROW( Invalid_Argument );
@@ -989,16 +989,26 @@
     if ( glyph_index > 0 )
       glyph_index--;                           /* revert to real index */
     else
-      glyph_index = font->header.default_char; /* the .notdef glyph */
+      glyph_index = font->header.default_char; /* the `.notdef' glyph  */
 
     new_format = FT_BOOL( font->header.version == 0x300 );
     len        = new_format ? 6 : 4;
 
-    /* jump to glyph entry */
-    p = font->fnt_frame + ( new_format ? 148 : 118 ) + len * glyph_index;
+    /* get glyph width and offset */
+    offset = ( new_format ? 148 : 118 ) + len * glyph_index;
+
+    if ( offset >= font->header.file_size - 2 - ( new_format ? 4 : 2 ) )
+    {
+      FT_TRACE2(( "invalid FNT offset\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
+    p = font->fnt_frame + offset;
 
     bitmap->width = FT_NEXT_SHORT_LE( p );
 
+    /* jump to glyph entry */
     if ( new_format )
       offset = FT_NEXT_ULONG_LE( p );
     else
author	Werner Lemberg <wl@gnu.org>	2014-02-26 18:12:36 +0100
committer	Werner Lemberg <wl@gnu.org>	2014-02-26 18:12:36 +0100
commit	eee4ff8d5aff07a073d6b5721a00eb0eb7715c5e (patch)
tree	c896fb0f563615101ef66506627d23d5912d9cab /src/winfonts
parent	08c628d128e6fba3a7a7be610d459b0d7f556f07 (diff)
download	freetype2-eee4ff8d5aff07a073d6b5721a00eb0eb7715c5e.tar.gz