forked from pool/freetype2
60 lines
1.9 KiB
Diff
60 lines
1.9 KiB
Diff
|
From 0545ec1ca36b27cb928128870a83e5f668980bc5 Mon Sep 17 00:00:00 2001
|
||
|
From: Werner Lemberg <wl@gnu.org>
|
||
|
Date: Fri, 20 Mar 2009 05:49:10 +0000
|
||
|
Subject: Protect against invalid SID values in CFFs.
|
||
|
|
||
|
Problem reported by Tavis Ormandy <taviso@google.com>.
|
||
|
|
||
|
* src/cff/cffload.c (cff_charset_load): Reject SID values larger
|
||
|
than 64999.
|
||
|
---
|
||
|
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
|
||
|
index 22163fb..24b899d 100644
|
||
|
--- a/src/cff/cffload.c
|
||
|
+++ b/src/cff/cffload.c
|
||
|
@@ -842,7 +842,20 @@
|
||
|
goto Exit;
|
||
|
|
||
|
for ( j = 1; j < num_glyphs; j++ )
|
||
|
- charset->sids[j] = FT_GET_USHORT();
|
||
|
+ {
|
||
|
+ FT_UShort sid = FT_GET_USHORT();
|
||
|
+
|
||
|
+
|
||
|
+ /* this constant is given in the CFF specification */
|
||
|
+ if ( sid < 65000 )
|
||
|
+ charset->sids[j] = sid;
|
||
|
+ else
|
||
|
+ {
|
||
|
+ FT_ERROR(( "cff_charset_load:"
|
||
|
+ " invalid SID value %d set to zero\n", sid ));
|
||
|
+ charset->sids[j] = 0;
|
||
|
+ }
|
||
|
+ }
|
||
|
|
||
|
FT_FRAME_EXIT();
|
||
|
}
|
||
|
@@ -875,6 +888,20 @@
|
||
|
goto Exit;
|
||
|
}
|
||
|
|
||
|
+ /* check whether the range contains at least one valid glyph; */
|
||
|
+ /* the constant is given in the CFF specification */
|
||
|
+ if ( glyph_sid >= 65000 ) {
|
||
|
+ FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
|
||
|
+ error = CFF_Err_Invalid_File_Format;
|
||
|
+ goto Exit;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* try to rescue some of the SIDs if `nleft' is too large */
|
||
|
+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
|
||
|
+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
|
||
|
+ nleft = 65000 - 1 - glyph_sid;
|
||
|
+ }
|
||
|
+
|
||
|
/* Fill in the range of sids -- `nleft + 1' glyphs. */
|
||
|
for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
|
||
|
charset->sids[j] = glyph_sid;
|
||
|
--
|
||
|
cgit v0.8.2
|