[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master e305861: [type1] Fix potential buffer overflow (#4592
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master e305861: [type1] Fix potential buffer overflow (#45923). |
|
Date: |
Sun, 13 Sep 2015 06:43:36 +0000 |
branch: master
commit e3058617f384cb6709f3878f753fa17aca9e3a30
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[type1] Fix potential buffer overflow (#45923).
* src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
point to end of file buffer.
---
ChangeLog | 7 +++++++
src/type1/t1parse.c | 9 +++++++++
2 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3618f24..47cfcf3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-09-13 Werner Lemberg <address@hidden>
+ [type1] Fix potential buffer overflow (#45923).
+
+ * src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
+ point to end of file buffer.
+
+2015-09-13 Werner Lemberg <address@hidden>
+
[gzip] Fix access of small compressed files (#45937).
* src/gzip/ftgzip.c (ft_gzip_stream_close): Avoid memory leak.
diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c
index c73b2b2..d8d4df2 100644
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -389,6 +389,15 @@
cur = limit;
limit = parser->base_dict + parser->base_len;
+
+ if ( cur >= limit )
+ {
+ FT_ERROR(( "T1_Get_Private_Dict:"
+ " premature end in private dictionary\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
goto Again;
/* now determine where to write the _encrypted_ binary private */
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master e305861: [type1] Fix potential buffer overflow (#45923).,
Werner LEMBERG <=