commit 7cb9ec0f1c9b3ce3c92c840cdc9a18a576993bc3
author Werner Lemberg <wl@gnu.org> Mon Jun 09 20:49:29 2008 +0000
committer Werner Lemberg <wl@gnu.org> Mon Jun 09 20:49:29 2008 +0000
tree dac22cb24e7da9f67257f38548b1763aca526cdd
parent d77e72295e2f0494bd993c4f59b642c6bd5c3192

* src/type1/t1parse.h (T1_ParserRec): Make `base_len' and
`private_len' unsigned.

* src/type1/t1parse.c (read_pfb_tag): Make `asize' unsigned and read
it as such.
(T1_New_Parser, T1_Get_Private_Dict): Make `size' unsigned.


* src/base/ftstream.c (FT_Stream_Skip): Reject negative values.


* src/type1/t1load.c (parse_blend_design_positions): Check `n_axis'
for sane value.
Fix typo.


* src/psaux/psobjs.c (ps_table_add): Check `idx' correctly.


* src/truetype/ttinterp (Ins_SHC): Use BOUNDS() to check
`last_point'.


* src/sfnt/ttload.c (tt_face_load_max_profile): Limit
`maxTwilightPoints'.

src/type1/t1load.c

diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 508fd89..9d7c748 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -674,7 +674,7 @@
 
       for ( n = 0; n < num_designs; n++ )
       {
-        T1_TokenRec  axis_tokens[T1_MAX_MM_DESIGNS];
+        T1_TokenRec  axis_tokens[T1_MAX_MM_AXIS];
         T1_Token     token;
         FT_Int       axis, n_axis;
 
@@ -687,6 +687,15 @@
 
         if ( n == 0 )
         {
+          if ( n_axis <= 0 || n_axis > T1_MAX_MM_AXIS )
+          {
+            FT_ERROR(( "parse_blend_design_positions:" ));
+            FT_ERROR(( "  invalid number of axes: %d\n",
+                       n_axis ));
+            error = T1_Err_Invalid_File_Format;
+            goto Exit;
+          }
+
           num_axis = n_axis;
           error = t1_allocate_blend( face, num_designs, num_axis );
           if ( error )