1 |
From 5a0c6522682b0788fc478dd159dd6168cb5fa38b Mon Sep 17 00:00:00 2001 |
2 |
From: Jeremy Tan <jtanx@outlook.com> |
3 |
Date: Sun, 30 Jul 2017 11:42:26 +0800 |
4 |
Subject: [PATCH 5/6] parsettf.c: Fix buffer overflow condition when reading |
5 |
CFF top dictionary |
6 |
|
7 |
Closes #3087 |
8 |
--- |
9 |
fontforge/parsettf.c | 11 ++++++++++- |
10 |
1 file changed, 10 insertions(+), 1 deletion(-) |
11 |
|
12 |
--- a/fontforge/parsettf.c |
13 |
+++ b/fontforge/parsettf.c |
14 |
@@ -2773,6 +2773,15 @@ |
15 |
pt = buffer; |
16 |
do { |
17 |
ch = getc(ttf); |
18 |
+ // Space for at least 2 bytes is required |
19 |
+ if ((pt-buffer) > (sizeof(buffer) - 2)) { |
20 |
+ // The buffer is completely full; null-terminate truncate it |
21 |
+ if ((pt-buffer) == sizeof(buffer)) { |
22 |
+ pt--; |
23 |
+ } |
24 |
+ *pt++ = '\0'; |
25 |
+ break; |
26 |
+ } |
27 |
if ( pt<buffer+44 || (ch&0xf)==0xf || (ch&0xf0)==0xf0 ) { |
28 |
pt = addnibble(pt,ch>>4); |
29 |
pt = addnibble(pt,ch&0xf); |
30 |
@@ -2996,7 +3005,7 @@ |
31 |
|
32 |
/* Multiple master fonts can have Type2 operators here, particularly */ |
33 |
/* blend operators. We're ignoring that */ |
34 |
- while ( ftell(ttf)<base+len ) { |
35 |
+ while ( !feof(ttf) && ftell(ttf)<base+len ) { |
36 |
sp = 0; |
37 |
while ( (ret=readcffthing(ttf,&ival,&stack[sp],&oval,info))!=3 && ftell(ttf)<base+len ) { |
38 |
if ( ret==1 ) |