diff options
author | Werner Lemberg <wl@gnu.org> | 2016-12-22 10:12:17 +0100 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2016-12-22 10:12:17 +0100 |
commit | 7f7333990ce65b0251535fe181ef1fce30219bb1 (patch) | |
tree | c22c4457e256635e5144d99af51951bdbdccb272 | |
parent | b44e6c2035121ae923730b5d864450774640933c (diff) | |
download | freetype2-7f7333990ce65b0251535fe181ef1fce30219bb1.tar.gz |
* src/base/ftrfork.c (FT_Raccess_Get_DataOffsets): Check `count'.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=308
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | src/base/ftrfork.c | 4 |
2 files changed, 11 insertions, 1 deletions
@@ -1,5 +1,13 @@ 2016-12-22 Werner Lemberg <wl@gnu.org> + * src/base/ftrfork.c (FT_Raccess_Get_DataOffsets): Check `count'. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=308 + +2016-12-22 Werner Lemberg <wl@gnu.org> + [cff] Protect against invalid `vsindex' and `blend' values. Reported as diff --git a/src/base/ftrfork.c b/src/base/ftrfork.c index b8b97a826..e656cd797 100644 --- a/src/base/ftrfork.c +++ b/src/base/ftrfork.c @@ -248,7 +248,9 @@ *count = subcnt + 1; rpos += map_offset; - if ( *count > 2727 ) + /* a zero count might be valid in the resource specification, */ + /* however, it is completely useless to us */ + if ( *count < 1 || *count > 2727 ) return FT_THROW( Invalid_Table ); error = FT_Stream_Seek( stream, (FT_ULong)rpos ); |