From 5a0c6522682b0788fc478dd159dd6168cb5fa38b Mon Sep 17 00:00:00 2001
From: Jeremy Tan <jtanx@outlook.com>
Date: Sun, 30 Jul 2017 11:42:26 +0800
Subject: [PATCH 5/6] parsettf.c: Fix buffer overflow condition when reading
CFF top dictionary
Closes #3087
---
fontforge/parsettf.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fontforge/parsettf.c b/fontforge/parsettf.c
index 04c038607..992db970c 100644
--- a/fontforge/parsettf.c
+++ b/fontforge/parsettf.c
@@ -2796,6 +2796,15 @@ return( 3 );
pt = buffer;
do {
ch = getc(ttf);
+ // Space for at least 2 bytes is required
+ if ((pt-buffer) > (sizeof(buffer) - 2)) {
+ // The buffer is completely full; null-terminate truncate it
+ if ((pt-buffer) == sizeof(buffer)) {
+ pt--;
+ }
+ *pt++ = '\0';
+ break;
+ }
if ( pt<buffer+44 || (ch&0xf)==0xf || (ch&0xf0)==0xf0 ) {
pt = addnibble(pt,ch>>4);
pt = addnibble(pt,ch&0xf);
@@ -3019,7 +3028,7 @@ static struct topdicts *readcfftopdict(FILE *ttf, char *fontname, int len,
/* Multiple master fonts can have Type2 operators here, particularly */
/* blend operators. We're ignoring that */
- while ( ftell(ttf)<base+len ) {
+ while ( !feof(ttf) && ftell(ttf)<base+len ) {
sp = 0;
while ( (ret=readcffthing(ttf,&ival,&stack[sp],&oval,info))!=3 && ftell(ttf)<base+len ) {
if ( ret==1 )
--
2.13.3
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
1eb64d7dd0b6d6a82993feb799eba3f3
>
files
>
5
