3
From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
4
From: Werner Lemberg <wl@gnu.org>
5
Date: Wed, 12 Nov 2014 20:26:44 +0000
6
Subject: [sfnt] Fix Savannah bug #43590.
8
* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
9
Protect against addition overflow.
11
Index: freetype-2.4.8/src/sfnt/ttload.c
12
===================================================================
13
--- freetype-2.4.8.orig/src/sfnt/ttload.c 2015-02-24 10:11:31.606211984 -0500
14
+++ freetype-2.4.8/src/sfnt/ttload.c 2015-02-24 10:11:31.606211984 -0500
18
/* we ignore invalid tables */
19
- if ( table.Offset + table.Length > stream->size )
21
+ /* table.Offset + table.Length > stream->size ? */
22
+ if ( table.Length > stream->size ||
23
+ table.Offset > stream->size - table.Length )
25
FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
28
entry->Length = FT_GET_LONG();
30
/* ignore invalid tables */
31
- if ( entry->Offset + entry->Length > stream->size )
33
+ /* entry->Offset + entry->Length > stream->size ? */
34
+ if ( entry->Length > stream->size ||
35
+ entry->Offset > stream->size - entry->Length )