* src/type1/t1load.c (parse_subrs, parse_charstrings): Protect
against too small binary data strings.
* src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better.
diff --git a/ChangeLog b/ChangeLog
index ecad073..2b9e797 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2007-05-30 Werner Lemberg <wl@gnu.org>
+
+ * src/type1/t1load.c (parse_subrs, parse_charstrings): Protect
+ against too small binary data strings.
+
+ * src/bdf/bdflib.c (_bdf_parse_glyphs): Check `STARTCHAR' better.
+
2007-05-28 David Turner <david@freetype.org>
* src/cff/cffgload.c (cff_slot_load): Do not apply the identity
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index 93061bb..8dade71 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1537,6 +1537,12 @@
s = _bdf_list_join( &p->list, ' ', &slen );
+ if ( !s )
+ {
+ error = BDF_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
if ( FT_NEW_ARRAY( p->glyph_name, slen + 1 ) )
goto Exit;
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index ed56bb4..c64f5f0 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1379,6 +1379,12 @@
FT_Byte* temp;
+ if ( size <= face->type1.private_dict.lenIV )
+ {
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* t1_decrypt() shouldn't write to base -- make temporary copy */
if ( FT_ALLOC( temp, size ) )
goto Fail;
@@ -1548,12 +1554,18 @@
notdef_found = 1;
}
- if ( face->type1.private_dict.lenIV >= 0 &&
- n < num_glyphs + TABLE_EXTEND )
+ if ( face->type1.private_dict.lenIV >= 0 &&
+ n < num_glyphs + TABLE_EXTEND )
{
FT_Byte* temp;
+ if ( size <= face->type1.private_dict.lenIV )
+ {
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* t1_decrypt() shouldn't write to base -- make temporary copy */
if ( FT_ALLOC( temp, size ) )
goto Fail;