1234567891011121314151617181920212223242526272829303132333435363738394041 |
- --- freetype-2.3.11/src/type42/t42parse.c 2009-07-03 15:28:24.000000000 +0200
- +++ freetype-2.3.11/src/type42/t42parse.c 2010-09-23 12:15:56.000000000 +0200
- @@ -4,7 +4,7 @@
- /* */
- /* Type 42 font parser (body). */
- /* */
- -/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
- +/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
- /* Roberto Alameda. */
- /* */
- /* This file is part of the FreeType project, and may only be used, */
- @@ -575,6 +575,12 @@
- }
-
- string_size = T1_ToInt( parser );
- + if ( string_size < 0 )
- + {
- + FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
- + error = T42_Err_Invalid_File_Format;
- + goto Fail;
- + }
-
- T1_Skip_PS_Token( parser ); /* `RD' */
- if ( parser->root.error )
- @@ -582,13 +588,14 @@
-
- string_buf = parser->root.cursor + 1; /* one space after `RD' */
-
- - parser->root.cursor += string_size + 1;
- - if ( parser->root.cursor >= limit )
- + if ( limit - parser->root.cursor < string_size )
- {
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
- error = T42_Err_Invalid_File_Format;
- goto Fail;
- }
- + else
- + parser->root.cursor += string_size + 1;
- }
-
- if ( !string_buf )
|