From beecf80a6deecbaf5d264d4f864451bde4fe98b8 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 16 Dec 2016 08:52:03 +0100
Subject: [cff] Fix heap buffer overflow (#49858).
* src/cff/cffparse.c (cff_parser_run): Add one more stack size
check.
---
src/cff/cffparse.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
index 022c289..9b5ad72 100644
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -1422,13 +1422,17 @@
/* and look for it in our current list. */
FT_UInt code;
- FT_UInt num_args = (FT_UInt)
- ( parser->top - parser->stack );
+ FT_UInt num_args;
const CFF_Field_Handler* field;
+ if ( (FT_UInt)( parser->top - parser->stack ) >= CFF_MAX_STACK_DEPTH )
+ goto Stack_Overflow;
+
+ num_args = (FT_UInt)( parser->top - parser->stack );
*parser->top = p;
- code = v;
+ code = v;
+
if ( v == 12 )
{
/* two byte operator */
--
cgit v1.0-41-gc330
distrib
>
Mageia
>
5
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
d8a71aa3ee3703779bb44ff6a259ff60
>
files
>
8
