From 3df92aa04cf7c537ac9b3f64a8e03168db10c60a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 13 Sep 2015 09:21:52 +0200
Subject: [PATCH] [winfonts] Check alignment shift count for resource data
 (#45938).

* src/winfonts/winfnt.c (fnt_face_get_dll_font): Implement it.
---
 ChangeLog             |  6 ++++++
 src/winfonts/winfnt.c | 15 +++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 47cfcf3a3..14e3ae1fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-09-13  Werner Lemberg  <wl@gnu.org>
+
+	[winfonts] Check alignment shift count for resource data (#45938).
+
+	* src/winfonts/winfnt.c (fnt_face_get_dll_font): Implement it.
+
 2015-09-13  Werner Lemberg  <wl@gnu.org>
 
 	[type1] Fix potential buffer overflow (#45923).
diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
index 36e3eb0c2..4bfa55a42 100644
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -320,6 +320,21 @@
 
         size_shift = FT_GET_USHORT_LE();
 
+        /* Microsoft's specification of the executable-file header format */
+        /* for `New Executable' (NE) doesn't give a limit for the         */
+        /* alignment shift count; however, in 1985, the year of the       */
+        /* specification release, only 32bit values were supported, thus  */
+        /* anything larger than 16 doesn't make sense in general, given   */
+        /* that file offsets are 16bit values, shifted by the alignment   */
+        /* shift count                                                    */
+        if ( size_shift > 16 )
+        {
+          FT_TRACE2(( "invalid alignment shift count for resource data\n" ));
+          error = FT_THROW( Invalid_File_Format );
+          goto Exit;
+        }
+
+
         for (;;)
         {
           FT_UShort  type_id, count;