[bdf] Check number of properties (#48166).

* src/bdf/bdflib.c (_bdf_parse_start): Implement.

2 files changed, 17 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 53d85e545..5c9ec1374 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2016-06-09  Werner Lemberg  <wl@gnu.org>
+
+	[bdf] Check number of properties (#48166).
+
+	* src/bdf/bdflib.c (_bdf_parse_start): Implement.
+
 2016-06-08  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	[smooth] Re-enable new line renderer on 64-bit archs.
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index 4baa9ca91..e1dce954f 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1127,7 +1127,7 @@
       propid = ft_hash_str_lookup( name, &(font->proptbl) );
     }
 
-    /* Allocate another property if this is overflow. */
+    /* Allocate another property if this is overflowing. */
     if ( font->props_used == font->props_size )
     {
       if ( font->props_size == 0 )
@@ -1976,8 +1976,18 @@
       error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
       if ( error )
         goto Exit;
+
       /* at this point, `p->font' can't be NULL */
       p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1] );
+      /* We need at least 4 bytes per property. */
+      if ( p->cnt > p->size / 4 )
+      {
+        p->font->props_size = 0;
+
+        FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG5, lineno, "STARTPROPERTIES" ));
+        error = FT_THROW( Invalid_Argument );
+        goto Exit;
+      }
 
       if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )
       {