Sophie: freetype-2.3.11-7.fc13 src

freetype-2.3.11-7.fc13.src.rpm

Info
Deps
Files
Scripts
ChangeLog
Location
Others versions
Analyse

--- freetype-2.3.11/src/base/ftobjs.c	2010-09-30 13:58:50.000000000 +0200
+++ freetype-2.3.11/src/base/ftobjs.c	2010-09-30 13:59:31.000000000 +0200
@@ -1529,6 +1529,7 @@
       FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
                    i, offsets[i], rlen, flags ));
 
+      /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
       if ( ( flags >> 8 ) == 0 )        /* Comment, should not be loaded */
         continue;
 
@@ -1568,6 +1569,10 @@
         pfb_data[pfb_pos++] = 0;
       }
 
+      error = FT_Err_Cannot_Open_Resource;
+      if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+        goto Exit2;
+
       error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
       if ( error )
         goto Exit2;