ref: 93a884c6cdb4477ba14ec34cadcf5e137a3c7eff
parent: b57bb11ad015e2d41426d435d6e5ba692afba207
author: Werner Lemberg <[email protected]>
date: Thu Feb 19 09:11:16 EST 2015
[cff] Emit better error code for invalid private dict size. * src/cff/cffparse.c (cff_parse_private_dict): Reject negative values for size and offset.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-02-19 Werner Lemberg <[email protected]>
+ [cff] Emit better error code for invalid private dict size.
+
+ * src/cff/cffparse.c (cff_parse_private_dict): Reject negative
+ values for size and offset.
+
+2015-02-19 Werner Lemberg <[email protected]>
+
[autofit] Fix signedness issues.
* src/autofit/afangles.c, src/autofit/afcjk.c,
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -617,8 +617,27 @@
if ( parser->top >= parser->stack + 2 )
{- dict->private_size = cff_parse_num( data++ );
- dict->private_offset = cff_parse_num( data );
+ FT_Long tmp;
+
+
+ tmp = cff_parse_num( data++ );
+ if ( tmp < 0 )
+ {+ FT_ERROR(( "cff_parse_private_dict: Invalid dictionary size\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+ }
+ dict->private_size = (FT_ULong)tmp;
+
+ tmp = cff_parse_num( data );
+ if ( tmp < 0 )
+ {+ FT_ERROR(( "cff_parse_private_dict: Invalid dictionary offset\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+ }
+ dict->private_offset = (FT_ULong)tmp;
+
FT_TRACE4(( " %lu %lu\n",
dict->private_size, dict->private_offset ));
@@ -625,6 +644,7 @@
error = FT_Err_Ok;
}
+ Fail:
return error;
}