diff options
| author | Chris Wilson <chris@chris-wilson.co.uk> | 2008-04-03 17:43:37 +0100 |
|---|---|---|
| committer | Chris Wilson <chris@chris-wilson.co.uk> | 2008-04-03 17:43:37 +0100 |
| commit | 13cdfed894d48b30e28296c3a27c8361bf5506fb (patch) | |
| tree | 3cf75e5ef4e74ed2511401f61bea09db5ffa3b45 /src/cairo-truetype-subset.c | |
| parent | cfff3c3bd04df5257176d9e43add52fc6daba329 (diff) | |
[cairo-truetype-subset] Perform a quick sanity check that glyf end >= begin.
Check for a bogus glyf position and prevent an integer overflow.
Diffstat (limited to 'src/cairo-truetype-subset.c')
| -rw-r--r-- | src/cairo-truetype-subset.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c index f143882e..68c5ff3c 100644 --- a/src/cairo-truetype-subset.c +++ b/src/cairo-truetype-subset.c @@ -580,6 +580,12 @@ cairo_truetype_font_write_glyf_table (cairo_truetype_font_t *font, end = be32_to_cpu (u.long_offsets[index + 1]); } + /* quick sanity check... */ + if (end < begin) { + status = CAIRO_INT_STATUS_UNSUPPORTED; + goto FAIL; + } + size = end - begin; status = cairo_truetype_font_align_output (font, &next); if (status) |