[freetype2] master 7962a15: [type1] Fix another potential buffer overflo

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 7962a15: [type1] Fix another potential buffer overflo

From:	Werner LEMBERG
Subject:	[freetype2] master 7962a15: [type1] Fix another potential buffer overflow (#45955).
Date:	Sun, 13 Sep 2015 22:41:09 +0000

branch: master
commit 7962a15d64c876870ca0ae435ea2467d9be268d9
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [type1] Fix another potential buffer overflow (#45955).
    
    * src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
    `eexec' doesn't exceed `limit'.
---
 ChangeLog           |    7 +++++++
 src/type1/t1parse.c |   18 ++++++++++++------
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 35bc86d..be16ae0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-09-14  Werner Lemberg  <address@hidden>
+
+       [type1] Fix another potential buffer overflow (#45955).
+
+       * src/type1/t1parse (T1_Get_Private_Dict): Assure that check for
+       `eexec' doesn't exceed `limit'.
+
 2015-09-13  Werner Lemberg  <address@hidden>
 
        Replace `mkinstalldirs' with AC_PROG_MKDIR_P.
diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c
index d8d4df2..0b68502 100644
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -334,7 +334,6 @@
       /* first of all, look at the `eexec' keyword */
       FT_Byte*    cur   = parser->base_dict;
       FT_Byte*    limit = cur + parser->base_len;
-      FT_Byte     c;
       FT_Pointer  pos_lf;
       FT_Bool     test_cr;
 
@@ -342,9 +341,9 @@
     Again:
       for (;;)
       {
-        c = cur[0];
-        if ( c == 'e' && cur + 9 < limit )  /* 9 = 5 letters for `eexec' + */
-                                            /* whitespace + 4 chars        */
+        if ( cur[0] == 'e'   &&
+             cur + 9 < limit )      /* 9 = 5 letters for `eexec' + */
+                                    /* whitespace + 4 chars        */
         {
           if ( cur[1] == 'e' &&
                cur[2] == 'x' &&
@@ -374,8 +373,15 @@
 
       while ( cur < limit )
       {
-        if ( *cur == 'e' && ft_strncmp( (char*)cur, "eexec", 5 ) == 0 )
-          goto Found;
+        if ( cur[0] == 'e'   &&
+             cur + 5 < limit )
+        {
+          if ( cur[1] == 'e' &&
+               cur[2] == 'x' &&
+               cur[3] == 'e' &&
+               cur[4] == 'c' )
+            goto Found;
+        }
 
         T1_Skip_PS_Token( parser );
         if ( parser->root.error )

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master 7962a15: [type1] Fix another potential buffer overflow (#45955)., Werner LEMBERG <=

Prev by Date: [freetype2] master ff7d640: Replace `mkinstalldirs' with AC_PROG_MKDIR_P.
Next by Date: [freetype2] master 3ea0d2c: * src/base/ftcalc.c (FT_MulFix) [FT_LONG64]: Improve.
Previous by thread: [freetype2] master ff7d640: Replace `mkinstalldirs' with AC_PROG_MKDIR_P.
Next by thread: [freetype2] master 3ea0d2c: * src/base/ftcalc.c (FT_MulFix) [FT_LONG64]: Improve.
Index(es):
- Date
- Thread