* src/sfnt/sfobjs.c (sfnt_open_font): Check number of TTC subfonts.

author: Werner Lemberg <wl@gnu.org> 2011-03-20 07:51:57 +0100
committer: Werner Lemberg <wl@gnu.org> 2011-03-20 07:51:57 +0100
commit: af7b8b1a9f33399fe686c3ba44ae8ae655bfe513 (patch)
tree: 2ed492c11d13e91cee268ff0b993610dbcb6a7c3
parent: 8bd77f9030a718daf6526ce631e9e79fd62a95bd (diff)
2 files changed, 18 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 8678ecb2..00130594 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2011-03-20  Werner Lemberg  <wl@gnu.org>
+
+	* src/sfnt/sfobjs.c (sfnt_open_font): Check number of TTC subfonts.
+
 2011-03-19  Werner Lemberg  <wl@gnu.org>
 
 	More C++ compilation fixes.
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index 5a1d0031..e581af9b 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    SFNT object management (base).                                       */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010 by */
+/*  Copyright 1996-2008, 2010-2011 by                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -356,7 +356,7 @@
 
       FT_FRAME_START( 8 ),
         FT_FRAME_LONG( version ),
-        FT_FRAME_LONG( count   ),
+        FT_FRAME_LONG( count   ),  /* this is ULong in the specs */
       FT_FRAME_END
     };
 
@@ -390,6 +390,17 @@
       if ( FT_STREAM_READ_FIELDS( ttc_header_fields, &face->ttc_header ) )
         return error;
 
+      if ( face->ttc_header.count == 0 )
+        return SFNT_Err_Invalid_Table;
+
+      /* a rough size estimate: let's conservatively assume that there   */
+      /* is just a single table info in each subfont header (12 + 16*1 = */
+      /* 28 bytes), thus we have (at least) `12 + 4*count' bytes for the */
+      /* size of the TTC header plus `28*count' bytes for all subfont    */
+      /* headers                                                         */
+      if ( (FT_ULong)face->ttc_header.count > stream->size / ( 28 + 4 ) )
+        return SFNT_Err_Array_Too_Large;
+
       /* now read the offsets of each font in the file */
       if ( FT_NEW_ARRAY( face->ttc_header.offsets, face->ttc_header.count ) )
         return error;
@@ -536,7 +547,7 @@
     FT_UNUSED( face_index );
 
     /* Check parameters */
-    
+
     {
       FT_Int  i;
author	Werner Lemberg <wl@gnu.org>	2011-03-20 07:51:57 +0100
committer	Werner Lemberg <wl@gnu.org>	2011-03-20 07:51:57 +0100
commit	af7b8b1a9f33399fe686c3ba44ae8ae655bfe513 (patch)
tree	2ed492c11d13e91cee268ff0b993610dbcb6a7c3
parent	8bd77f9030a718daf6526ce631e9e79fd62a95bd (diff)