| 1 |
From 5a0c6522682b0788fc478dd159dd6168cb5fa38b Mon Sep 17 00:00:00 2001 |
| 2 |
From: Jeremy Tan <jtanx@outlook.com> |
| 3 |
Date: Sun, 30 Jul 2017 11:42:26 +0800 |
| 4 |
Subject: [PATCH 5/6] parsettf.c: Fix buffer overflow condition when reading |
| 5 |
CFF top dictionary |
| 6 |
|
| 7 |
Closes #3087 |
| 8 |
--- |
| 9 |
fontforge/parsettf.c | 11 ++++++++++- |
| 10 |
1 file changed, 10 insertions(+), 1 deletion(-) |
| 11 |
|
| 12 |
--- a/fontforge/parsettf.c |
| 13 |
+++ b/fontforge/parsettf.c |
| 14 |
@@ -2773,6 +2773,15 @@ |
| 15 |
pt = buffer; |
| 16 |
do { |
| 17 |
ch = getc(ttf); |
| 18 |
+ // Space for at least 2 bytes is required |
| 19 |
+ if ((pt-buffer) > (sizeof(buffer) - 2)) { |
| 20 |
+ // The buffer is completely full; null-terminate truncate it |
| 21 |
+ if ((pt-buffer) == sizeof(buffer)) { |
| 22 |
+ pt--; |
| 23 |
+ } |
| 24 |
+ *pt++ = '\0'; |
| 25 |
+ break; |
| 26 |
+ } |
| 27 |
if ( pt<buffer+44 || (ch&0xf)==0xf || (ch&0xf0)==0xf0 ) { |
| 28 |
pt = addnibble(pt,ch>>4); |
| 29 |
pt = addnibble(pt,ch&0xf); |
| 30 |
@@ -2996,7 +3005,7 @@ |
| 31 |
|
| 32 |
/* Multiple master fonts can have Type2 operators here, particularly */ |
| 33 |
/* blend operators. We're ignoring that */ |
| 34 |
- while ( ftell(ttf)<base+len ) { |
| 35 |
+ while ( !feof(ttf) && ftell(ttf)<base+len ) { |
| 36 |
sp = 0; |
| 37 |
while ( (ret=readcffthing(ttf,&ival,&stack[sp],&oval,info))!=3 && ftell(ttf)<base+len ) { |
| 38 |
if ( ret==1 ) |
Parent Directory
| 
Revision Log