Add range checking of width and height for for downloaded bitmap

fonts, thanks to Norbert Janssen for the fix, fixes most of bug #690375. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@9646 a1074d23-0009-0410-80fe-cf8c14f379e6
author: Henry Stiles <henry.stiles@artifex.com> 2009-04-16 05:00:01 +0000
committer: Henry Stiles <henry.stiles@artifex.com> 2009-04-16 05:00:01 +0000
commit: dc3137eb30ab0602415125f32ff97c227bb6dfc8 (patch)
tree: 0c12fa6bf9a85b6ceb3e4e01a45500645dffe77e /pcl
parent: a14b4beb13a0cb4943e0e06e1b3eddc569b79948 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/pcl/pcsfont.c b/pcl/pcsfont.c
index af1aa9318..922bc8bbd 100644
--- a/pcl/pcsfont.c
+++ b/pcl/pcsfont.c
@@ -501,8 +501,14 @@ pcl_character_data(pcl_args_t *pargs, pcl_state_t *pcs)
                   format != pcfh_truetype_large)
                  )
                 return e_Range;
+
             width = pl_get_uint16(data + 10);
+            if (width < 1  || width > 16384)
+                return e_Range;
             height = pl_get_uint16(data + 12);
+            if (height < 1 || height > 16384)
+                return e_Range;
+
             switch ( data[3] ) {
             case 1:             /* uncompressed bitmap */
                 font_data_size = 16 + (((width + 7) >> 3) * height);
author	Henry Stiles <henry.stiles@artifex.com>	2009-04-16 05:00:01 +0000
committer	Henry Stiles <henry.stiles@artifex.com>	2009-04-16 05:00:01 +0000
commit	dc3137eb30ab0602415125f32ff97c227bb6dfc8 (patch)
tree	0c12fa6bf9a85b6ceb3e4e01a45500645dffe77e /pcl
parent	a14b4beb13a0cb4943e0e06e1b3eddc569b79948 (diff)