--- freetype-2.2.1/src/base/ftobjs.c 2004-06-21 23:16:56.000000000 +0200
+++ freetype-2.2.1/src/base/ftobjs.c 2010-07-14 14:19:24.000000000 +0200
@@ -1192,6 +1192,8 @@
len += rlen;
else
{
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1205,6 +1216,8 @@
if ( ( flags >> 8 ) == 5 ) /* End of font mark */
break;
+ if ( pfb_pos + 6 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_pos++] = 0x80;
type = flags >> 8;
@@ -1219,12 +1232,18 @@
}
error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+ if ( error )
+ goto Exit2;
pfb_pos += rlen;
}
+ if ( pfb_pos + 2 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_pos++] = 0x80;
pfb_data[pfb_pos++] = 3;
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
ace0c7d5943399be8235d684d03fb2e5
>
files
>
4
