1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
|
From 62b6433a81ee7ed6e0ac2d6b09ac85b885046ac3 Mon Sep 17 00:00:00 2001
From: Jeremy Tan <jtanx@outlook.com>
Date: Sun, 30 Jul 2017 10:27:17 +0800
Subject: [PATCH 4/6] parsettf.c: Fix buffer overrun condition
Closes #3090
---
fontforge/parsettf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fontforge/parsettf.c b/fontforge/parsettf.c
index 90ac6eb62..04c038607 100644
--- a/fontforge/parsettf.c
+++ b/fontforge/parsettf.c
@@ -3533,7 +3533,7 @@ static void readcffset(FILE *ttf,struct topdicts *dict,struct ttfinfo *info) {
for ( i = 1; i<len; ) {
first = dict->charset[i++] = getushort(ttf);
cnt = getc(ttf);
- for ( j=0; j<cnt; ++j )
+ for ( j=0; j<cnt && i<len; ++j )
dict->charset[i++] = ++first;
}
} else if ( format==2 ) {
--
2.13.3
|