From beecf80a6deecbaf5d264d4f864451bde4fe98b8 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl@gnu.org> Date: Fri, 16 Dec 2016 08:52:03 +0100 Subject: [cff] Fix heap buffer overflow (#49858). * src/cff/cffparse.c (cff_parser_run): Add one more stack size check. --- src/cff/cffparse.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c index 022c289..9b5ad72 100644 --- a/src/cff/cffparse.c +++ b/src/cff/cffparse.c @@ -1422,13 +1422,17 @@ /* and look for it in our current list. */ FT_UInt code; - FT_UInt num_args = (FT_UInt) - ( parser->top - parser->stack ); + FT_UInt num_args; const CFF_Field_Handler* field; + if ( (FT_UInt)( parser->top - parser->stack ) >= CFF_MAX_STACK_DEPTH ) + goto Stack_Overflow; + + num_args = (FT_UInt)( parser->top - parser->stack ); *parser->top = p; - code = v; + code = v; + if ( v == 12 ) { /* two byte operator */ -- cgit v1.0-41-gc330