From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 15:43:29 +0900
Subject: [PATCH] Fix Savannah bug #43538.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
 ChangeLog         |  7 +++++++
 src/base/ftobjs.c | 15 ++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 985512eb0..5ba75b6b8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2014-11-26  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Fix Savannah bug #43538.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+	by a broken POST table in resource-fork.
+
 2014-11-26  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	* src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 4d60e885a..ffbbc3269 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1580,10 +1580,23 @@
         goto Exit;
       if ( FT_READ_LONG( temp ) )
         goto Exit;
+      if ( 0 > temp )
+        error = FT_THROW( Invalid_Offset );
+      else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+        error = FT_THROW( Array_Too_Large );
+
+      if ( error )
+        goto Exit;
+
       pfb_len += temp + 6;
     }
 
-    if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+    if ( 0x7FFFFFFFL - 2 < pfb_len )
+      error = FT_THROW( Array_Too_Large );
+    else
+      error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+
+    if ( error )
       goto Exit;
 
     pfb_data[0] = 0x80;