From 5a0c6522682b0788fc478dd159dd6168cb5fa38b Mon Sep 17 00:00:00 2001
From: Jeremy Tan <jtanx@outlook.com>
Date: Sun, 30 Jul 2017 11:42:26 +0800
Subject: [PATCH 5/6] parsettf.c: Fix buffer overflow condition when reading
CFF top dictionary
Closes #3087
---
fontforge/parsettf.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/fontforge/parsettf.c
+++ b/fontforge/parsettf.c
@@ -2773,6 +2773,15 @@
pt = buffer;
do {
ch = getc(ttf);
+ // Space for at least 2 bytes is required
+ if ((pt-buffer) > (sizeof(buffer) - 2)) {
+ // The buffer is completely full; null-terminate truncate it
+ if ((pt-buffer) == sizeof(buffer)) {
+ pt--;
+ }
+ *pt++ = '\0';
+ break;
+ }
if ( pt<buffer+44 || (ch&0xf)==0xf || (ch&0xf0)==0xf0 ) {
pt = addnibble(pt,ch>>4);
pt = addnibble(pt,ch&0xf);
@@ -2996,7 +3005,7 @@
/* Multiple master fonts can have Type2 operators here, particularly */
/* blend operators. We're ignoring that */
- while ( ftell(ttf)<base+len ) {
+ while ( !feof(ttf) && ftell(ttf)<base+len ) {
sp = 0;
while ( (ret=readcffthing(ttf,&ival,&stack[sp],&oval,info))!=3 && ftell(ttf)<base+len ) {
if ( ret==1 )
distrib
>
Mageia
>
5
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
079c19a673e0f05cc5c0a8bc393dcc53
>
files
>
5
