[type1]: Improve guard against malformed data.

Based on a patch submitted by Johnson Y. Yan
<yinsen_yan@foxitsoftware.com>

* src/type1/t1load.c (read_binary_data): Check `size'.

1 files changed, 10 insertions, 4 deletions

diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 079f339c..c7701c77 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -4,7 +4,8 @@
 /*                                                                         */
 /*    Type 1 font loader (body).                                           */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
+/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,   */
+/*            2010 by                                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -1045,7 +1046,8 @@
 
     if ( cur < limit && ft_isdigit( *cur ) )
     {
-      *size = T1_ToInt( parser );
+      FT_Long  s = T1_ToInt( parser );
+
 
       T1_Skip_PS_Token( parser );   /* `RD' or `-|' or something else */
 
@@ -1053,8 +1055,12 @@
       /* `RD' or `-|' token                          */
       *base = parser->root.cursor + 1;
 
-      parser->root.cursor += *size + 1;
-      return !parser->root.error;
+      if ( s >= 0 && s < limit - *base )
+      {
+        parser->root.cursor += s + 1;
+        *size = s;
+        return !parser->root.error;
+      }
     }
 
     FT_ERROR(( "read_binary_data: invalid size field\n" ));