[freetype2] master 59ae73f: [cid] Better check of `SubrCount' dictionary

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 59ae73f: [cid] Better check of `SubrCount' dictionary

From:	Werner LEMBERG
Subject:	[freetype2] master 59ae73f: [cid] Better check of `SubrCount' dictionary entry (#46272).
Date:	Thu, 22 Oct 2015 07:26:25 +0000

branch: master
commit 59ae73fe1658f5cf001f76b983abbdb1f1ff6dc2
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [cid] Better check of `SubrCount' dictionary entry (#46272).
    
    * src/cid/cidload.c (cid_face_open): Add more sanity tests for
    `fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
---
 ChangeLog         |    7 +++++++
 src/cid/cidload.c |   23 ++++++++++++++++++++---
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 79700aa..f01f149 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-22  Werner Lemberg  <address@hidden>
+
+       [cid] Better check of `SubrCount' dictionary entry (#46272).
+
+       * src/cid/cidload.c (cid_face_open): Add more sanity tests for
+       `fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
+
 2015-10-21  Werner Lemberg  <address@hidden>
 
        [base] Pacify compiler (#46266).
diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index aa125a4..7c39c02 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -750,6 +750,14 @@
 
     /* sanity tests */
 
+    if ( cid->fd_bytes < 0 || cid->gd_bytes < 0 )
+    {
+      FT_ERROR(( "cid_parse_dict:"
+                 " Invalid `FDBytes' or `GDBytes' value\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
     /* allow at most 32bit offsets */
     if ( cid->fd_bytes > 4 || cid->gd_bytes > 4 )
     {
@@ -769,6 +777,13 @@
       CID_FaceDict  dict = cid->font_dicts + n;
 
 
+      if ( dict->sd_bytes < 0 )
+      {
+        FT_ERROR(( "cid_parse_dict: Invalid `SDBytes' value\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Exit;
+      }
+
       if ( dict->sd_bytes > 4 )
       {
         FT_ERROR(( "cid_parse_dict:"
@@ -785,9 +800,11 @@
         goto Exit;
       }
 
-      if ( dict->sd_bytes                                              &&
-           dict->num_subrs >
-             ( binary_length - dict->subrmap_offset ) / dict->sd_bytes )
+      /* `num_subrs' is scanned as a signed integer */
+      if ( (FT_Int)dict->num_subrs < 0                                     ||
+           ( dict->sd_bytes                                              &&
+             dict->num_subrs > ( binary_length - dict->subrmap_offset ) /
+                                 (FT_UInt)dict->sd_bytes                 ) )
       {
         FT_ERROR(( "cid_parse_dict: Invalid `SubrCount' value\n" ));
         error = FT_THROW( Invalid_File_Format );

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master 59ae73f: [cid] Better check of `SubrCount' dictionary entry (#46272)., Werner LEMBERG <=

Prev by Date: [freetype2] master 5dedbc0: Improve documentation of `FT_Get_MM_Var' and `FT_MM_Var'.
Next by Date: [freetype2] master f1c9343 1/2: [cff] Avoid overflow/module arithmetic.
Previous by thread: [freetype2] master 5dedbc0: Improve documentation of `FT_Get_MM_Var' and `FT_MM_Var'.
Next by thread: [freetype2] master f1c9343 1/2: [cff] Avoid overflow/module arithmetic.
Index(es):
- Date
- Thread