From f46add13895337ece929b18bb8f036431b3fb538 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 12 Nov 2014 20:06:08 +0000
Subject: [sfnt] Fix Savannah bug #43589.
* src/sfnt/sfobjs.c (woff_open_font): Protect against addition
overflow.
---
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index cfea9cd..70b988d 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -574,8 +574,10 @@
if ( table->Offset != woff_offset ||
- table->Offset + table->CompLength > woff.length ||
- sfnt_offset + table->OrigLength > woff.totalSfntSize ||
+ table->CompLength > woff.length ||
+ table->Offset > woff.length - table->CompLength ||
+ table->OrigLength > woff.totalSfntSize ||
+ sfnt_offset > woff.totalSfntSize - table->OrigLength ||
table->CompLength > table->OrigLength )
{
error = FT_THROW( Invalid_Table );
--
cgit v0.9.0.2