[type1] Fix another potential buffer overflow (#45955).
* src/type1/t1parse (T1_Get_Private_Dict): Assure that check for `eexec' doesn't exceed `limit'.
This commit is contained in:
parent
ff7d640404
commit
7962a15d64
@ -1,3 +1,10 @@
|
||||
2015-09-14 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[type1] Fix another potential buffer overflow (#45955).
|
||||
|
||||
* src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
|
||||
`eexec' doesn't exceed `limit'.
|
||||
|
||||
2015-09-13 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
Replace `mkinstalldirs' with AC_PROG_MKDIR_P.
|
||||
|
@ -334,7 +334,6 @@
|
||||
/* first of all, look at the `eexec' keyword */
|
||||
FT_Byte* cur = parser->base_dict;
|
||||
FT_Byte* limit = cur + parser->base_len;
|
||||
FT_Byte c;
|
||||
FT_Pointer pos_lf;
|
||||
FT_Bool test_cr;
|
||||
|
||||
@ -342,9 +341,9 @@
|
||||
Again:
|
||||
for (;;)
|
||||
{
|
||||
c = cur[0];
|
||||
if ( c == 'e' && cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */
|
||||
/* whitespace + 4 chars */
|
||||
if ( cur[0] == 'e' &&
|
||||
cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */
|
||||
/* whitespace + 4 chars */
|
||||
{
|
||||
if ( cur[1] == 'e' &&
|
||||
cur[2] == 'x' &&
|
||||
@ -374,8 +373,15 @@
|
||||
|
||||
while ( cur < limit )
|
||||
{
|
||||
if ( *cur == 'e' && ft_strncmp( (char*)cur, "eexec", 5 ) == 0 )
|
||||
goto Found;
|
||||
if ( cur[0] == 'e' &&
|
||||
cur + 5 < limit )
|
||||
{
|
||||
if ( cur[1] == 'e' &&
|
||||
cur[2] == 'x' &&
|
||||
cur[3] == 'e' &&
|
||||
cur[4] == 'c' )
|
||||
goto Found;
|
||||
}
|
||||
|
||||
T1_Skip_PS_Token( parser );
|
||||
if ( parser->root.error )
|
||||
|
Loading…
Reference in New Issue
Block a user