[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 7962a15: [type1] Fix another potential buffer overflo
From: |
Werner LEMBERG |
Subject: |
[freetype2] master 7962a15: [type1] Fix another potential buffer overflow (#45955). |
Date: |
Sun, 13 Sep 2015 22:41:09 +0000 |
branch: master
commit 7962a15d64c876870ca0ae435ea2467d9be268d9
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[type1] Fix another potential buffer overflow (#45955).
* src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
`eexec' doesn't exceed `limit'.
---
ChangeLog | 7 +++++++
src/type1/t1parse.c | 18 ++++++++++++------
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 35bc86d..be16ae0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-09-14 Werner Lemberg <address@hidden>
+
+ [type1] Fix another potential buffer overflow (#45955).
+
+ * src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
+ `eexec' doesn't exceed `limit'.
+
2015-09-13 Werner Lemberg <address@hidden>
Replace `mkinstalldirs' with AC_PROG_MKDIR_P.
diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c
index d8d4df2..0b68502 100644
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -334,7 +334,6 @@
/* first of all, look at the `eexec' keyword */
FT_Byte* cur = parser->base_dict;
FT_Byte* limit = cur + parser->base_len;
- FT_Byte c;
FT_Pointer pos_lf;
FT_Bool test_cr;
@@ -342,9 +341,9 @@
Again:
for (;;)
{
- c = cur[0];
- if ( c == 'e' && cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */
- /* whitespace + 4 chars */
+ if ( cur[0] == 'e' &&
+ cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */
+ /* whitespace + 4 chars */
{
if ( cur[1] == 'e' &&
cur[2] == 'x' &&
@@ -374,8 +373,15 @@
while ( cur < limit )
{
- if ( *cur == 'e' && ft_strncmp( (char*)cur, "eexec", 5 ) == 0 )
- goto Found;
+ if ( cur[0] == 'e' &&
+ cur + 5 < limit )
+ {
+ if ( cur[1] == 'e' &&
+ cur[2] == 'x' &&
+ cur[3] == 'e' &&
+ cur[4] == 'c' )
+ goto Found;
+ }
T1_Skip_PS_Token( parser );
if ( parser->root.error )
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 7962a15: [type1] Fix another potential buffer overflow (#45955).,
Werner LEMBERG <=