* src/base/ftobj.c (Mac_Read_POST_Resource): Additional
overflow check in the summation of POST fragment lengths, suggested by Mateusz Jurczyk <mjurczyk@google.com>.
This commit is contained in:
parent
1720e81e3e
commit
cd4a5a26e5
@ -1,3 +1,9 @@
|
||||
2014-11-26 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
* src/base/ftobj.c (Mac_Read_POST_Resource): Additional
|
||||
overflow check in the summation of POST fragment lengths,
|
||||
suggested by Mateusz Jurczyk <mjurczyk@google.com>.
|
||||
|
||||
2014-11-26 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
* src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments
|
||||
|
@ -1586,8 +1586,10 @@
|
||||
*/
|
||||
FT_TRACE4(( " POST fragment #%d: length=0x%08x\n",
|
||||
i, temp));
|
||||
if ( 0x7FFFFFFFUL < temp )
|
||||
if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
|
||||
{
|
||||
FT_TRACE2(( " too long fragment length makes"
|
||||
" pfb_len confused: temp=0x%08x\n", temp ));
|
||||
error = FT_THROW( Invalid_Offset );
|
||||
goto Exit;
|
||||
}
|
||||
@ -1600,8 +1602,7 @@
|
||||
resource_cnt, pfb_len + 2));
|
||||
if ( pfb_len + 2 < 6 ) {
|
||||
FT_TRACE2(( " too long fragment length makes"
|
||||
" pfb_len confused: 0x%08x\n",
|
||||
pfb_len ));
|
||||
" pfb_len confused: pfb_len=0x%08x\n", pfb_len ));
|
||||
error = FT_THROW( Array_Too_Large );
|
||||
goto Exit;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user