diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2013-06-03 08:31:56 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2013-06-03 15:51:10 +0100 |
| commit | 761e413514c7f9374f54e8ffef3c1d7ebf824e28 (patch) | |
| tree | a81b3c3fae6e598808f3bb743c3f3607155420ca | |
| parent | 1eef08f4aaf485a18422e9fbcfd6ac8cbfb03cdb (diff) | |
| download | ghostpdl-761e413514c7f9374f54e8ffef3c1d7ebf824e28.tar.gz | |
Bug 694272: bounds check TTF outline points flags
Reading the points "flags" from the TTF stream, we weren't bounds checking when
the flag value is a repeated one, so we could trundle off the end of the buffer.
No cluster differences.
| -rw-r--r-- | gs/base/ttfmain.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gs/base/ttfmain.c b/gs/base/ttfmain.c index 9550c9842..a692a5fbb 100644 --- a/gs/base/ttfmain.c +++ b/gs/base/ttfmain.c @@ -754,7 +754,7 @@ retry: *onCurve++ = flag = ttfReader__Byte(r); if (flag & REPEAT_FLAGS) { count = ttfReader__Byte(r); - for (--count; count >= 0; --count) + for (--count; count >= 0 && onCurve < stop; --count) *onCurve++ = flag; } } |