blob: 0b5b3c625fe76367dbd155cc863ebc20cc742081 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
freetype-2.9: Fix potential numeric overflow
[No upstream tracking] -- https://savannah.nongnu.org/bugs/index.php?54023
ttcmap: (tt_cmap2_validate): Fix potential numeric overflow
The dead loop appears in the function tt_cmap2_char_next()
in "src\sfnt\ttcmap.c" in version 2.9 when "charcode == 256".
According to the notes, is seems that "subheader" should
not be NULL when "charcode == 256".
Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/sfnt/ttcmap.c?id=5bd76524ef786d942b28dc52618aeda3aebfa3d6]
bug: 54023
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 5afa6ae..8fb9542 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -358,7 +358,7 @@
/* check range within 0..255 */
if ( valid->level >= FT_VALIDATE_PARANOID )
{
- if ( first_code >= 256 || first_code + code_count > 256 )
+ if ( first_code >= 256 || code_count > 256 - first_code )
FT_INVALID_DATA;
}
|
