From ba03af6f91321ab7688f7368730d9fa650fd6c27 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Wed, 30 May 2007 13:57:02 +0000 Subject: [PATCH] * src/type1/t1load.c (parse_subrs, parse_charstrings): Protect against too small binary data strings. * src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better. --- ChangeLog | 7 +++++++ src/bdf/bdflib.c | 6 ++++++ src/type1/t1load.c | 16 ++++++++++++++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ecad07303..2b9e7978a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2007-05-30 Werner Lemberg + + * src/type1/t1load.c (parse_subrs, parse_charstrings): Protect + against too small binary data strings. + + * src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better. + 2007-05-28 David Turner * src/cff/cffgload.c (cff_slot_load): Do not apply the identity diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index 93061bb83..8dade71ba 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1537,6 +1537,12 @@ s = _bdf_list_join( &p->list, ' ', &slen ); + if ( !s ) + { + error = BDF_Err_Invalid_File_Format; + goto Exit; + } + if ( FT_NEW_ARRAY( p->glyph_name, slen + 1 ) ) goto Exit; diff --git a/src/type1/t1load.c b/src/type1/t1load.c index ed56bb46d..c64f5f0ce 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1379,6 +1379,12 @@ FT_Byte* temp; + if ( size <= face->type1.private_dict.lenIV ) + { + error = T1_Err_Invalid_File_Format; + goto Fail; + } + /* t1_decrypt() shouldn't write to base -- make temporary copy */ if ( FT_ALLOC( temp, size ) ) goto Fail; @@ -1548,12 +1554,18 @@ notdef_found = 1; } - if ( face->type1.private_dict.lenIV >= 0 && - n < num_glyphs + TABLE_EXTEND ) + if ( face->type1.private_dict.lenIV >= 0 && + n < num_glyphs + TABLE_EXTEND ) { FT_Byte* temp; + if ( size <= face->type1.private_dict.lenIV ) + { + error = T1_Err_Invalid_File_Format; + goto Fail; + } + /* t1_decrypt() shouldn't write to base -- make temporary copy */ if ( FT_ALLOC( temp, size ) ) goto Fail;