[OTS] Allow empty Private DICT inside CFF data BUG=chromium:112414 TEST=ran test_{un,}malicious_fonts.sh Review URL: https://chromiumcodereview.appspot.com/9447013 git-svn-id: http://ots.googlecode.com/svn/trunk@81 a4e77c2c-9104-11de-800e-5b313e0d2bf3

commit: d27e4d28a8a974c1966ecfd49b9740a226a682c9 [log] [tgz]
author: bashi@chromium.org <bashi@chromium.org@a4e77c2c-9104-11de-800e-5b313e0d2bf3> Thu Feb 23 23:36:04 2012 +0000
committer: bashi@chromium.org <bashi@chromium.org@a4e77c2c-9104-11de-800e-5b313e0d2bf3> Thu Feb 23 23:36:04 2012 +0000
tree: 7e6d98c4015459f268a526853392b34ca7dd263a
parent: 19a629d15a4f78d5d37cee6aabdb71f7d9400ca6 [diff]
diff --git a/src/cff.cc b/src/cff.cc
index 73fc233..a3931de 100644
--- a/src/cff.cc
+++ b/src/cff.cc

@@ -760,14 +760,13 @@
             return OTS_FAILURE();
           }
           const uint32_t private_length = operands.back().first;
-          if (private_offset >= table_length) {
+          if (private_offset > table_length) {
             return OTS_FAILURE();
           }
           if (private_length >= table_length) {
             return OTS_FAILURE();
           }
           if (private_length + private_offset > table_length) {
-            // does not overflow since table_length < 1GB
             return OTS_FAILURE();
           }
           // parse "15. Private DICT Data"
commit	d27e4d28a8a974c1966ecfd49b9740a226a682c9	[log] [tgz]
author	bashi@chromium.org <bashi@chromium.org@a4e77c2c-9104-11de-800e-5b313e0d2bf3>	Thu Feb 23 23:36:04 2012 +0000
committer	bashi@chromium.org <bashi@chromium.org@a4e77c2c-9104-11de-800e-5b313e0d2bf3>	Thu Feb 23 23:36:04 2012 +0000
tree	7e6d98c4015459f268a526853392b34ca7dd263a
parent	19a629d15a4f78d5d37cee6aabdb71f7d9400ca6 [diff]