[type42] Fix heap buffer overflow (#46269).
* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in bounds checking.
This commit is contained in:
parent
3cfd51233c
commit
87fefc594e
@ -1,3 +1,10 @@
|
||||
2015-10-21 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[type42] Fix heap buffer overflow (#46269).
|
||||
|
||||
* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
|
||||
bounds checking.
|
||||
|
||||
2015-10-21 Dave Arnold <darnold@adobe.com>
|
||||
|
||||
[cff] Fix limit in assert for max hints.
|
||||
|
@ -640,7 +640,7 @@
|
||||
|
||||
string_buf = parser->root.cursor + 1; /* one space after `RD' */
|
||||
|
||||
if ( (FT_ULong)( limit - parser->root.cursor ) < string_size )
|
||||
if ( (FT_ULong)( limit - parser->root.cursor ) <= string_size )
|
||||
{
|
||||
FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
|
||||
error = FT_THROW( Invalid_File_Format );
|
||||
|
Loading…
Reference in New Issue
Block a user