AuroraMiddleware/freetype
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[type1] Fix potential buffer overflow (#45923).

Browse Source 
* src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
point to end of file buffer.
This commit is contained in:
Werner Lemberg 2015-09-13 08:41:43 +02:00
parent e40e8b33a1
commit e3058617f3
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,3 +1,10 @@
2015-09-13 Werner Lemberg <wl@gnu.org>
[type1] Fix potential buffer overflow (#45923).
* src/type1/t1parse.c (T1_Get_Private_Dict): Assure `cur' doesn't
point to end of file buffer.
2015-09-13 Werner Lemberg <wl@gnu.org>
[gzip] Fix access of small compressed files (#45937).

9
src/type1/t1parse.c
View File

@ -389,6 +389,15 @@
cur = limit;
limit = parser->base_dict + parser->base_len;
if ( cur >= limit )
{
FT_ERROR(( "T1_Get_Private_Dict:"
" premature end in private dictionary\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
}
goto Again;
/* now determine where to write the _encrypted_ binary private */