Sophie

Sophie

distrib > Mandriva > 2010.2 > i586 > media > main-updates-src > by-pkgid > a6c468d5fa3408dbd88ed90cd40665e9 > files > 2

freetype2-2.3.12-1.9mdv2010.2.src.rpm

diff -Naurp freetype-2.3.11/src/type42/t42parse.c freetype-2.3.11.oden/src/type42/t42parse.c
--- freetype-2.3.11/src/type42/t42parse.c	2009-07-03 09:28:24.000000000 -0400
+++ freetype-2.3.11.oden/src/type42/t42parse.c	2010-08-22 06:25:38.000000000 -0400
@@ -575,6 +575,12 @@
         }
 
         string_size = T1_ToInt( parser );
+        if ( string_size < 0 )
+        {
+          FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
+          error = T42_Err_Invalid_File_Format;
+          goto Fail;
+        }
 
         T1_Skip_PS_Token( parser );             /* `RD' */
         if ( parser->root.error )
@@ -582,13 +588,14 @@
 
         string_buf = parser->root.cursor + 1;   /* one space after `RD' */
 
-        parser->root.cursor += string_size + 1;
-        if ( parser->root.cursor >= limit )
+        if ( limit - parser->root.cursor < string_size )
         {
           FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
           error = T42_Err_Invalid_File_Format;
           goto Fail;
         }
+        else
+          parser->root.cursor += string_size + 1;
       }
 
       if ( !string_buf )

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional