blob: 95f7b2f28019eba5365785b68d5dd3c345b4f757 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
diff --git src/bitmap/pcfread.c src/bitmap/pcfread.c
index fd41849..c5db255 100644
--- src/bitmap/pcfread.c
+++ src/bitmap/pcfread.c
@@ -588,6 +588,9 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
pFont->info.lastRow = pcfGetINT16(file, format);
pFont->info.defaultCh = pcfGetINT16(file, format);
if (IS_EOF(file)) goto Bail;
+ if (pFont->info.firstCol > pFont->info.lastCol ||
+ pFont->info.firstRow > pFont->info.lastRow ||
+ pFont->info.lastCol-pFont->info.firstCol > 255) goto Bail;
nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) *
(pFont->info.lastRow - pFont->info.firstRow + 1);
@@ -726,6 +729,9 @@ pcfReadFontInfo(FontInfoPtr pFontInfo, FontFilePtr file)
pFontInfo->lastRow = pcfGetINT16(file, format);
pFontInfo->defaultCh = pcfGetINT16(file, format);
if (IS_EOF(file)) goto Bail;
+ if (pFontInfo->firstCol > pFontInfo->lastCol ||
+ pFontInfo->firstRow > pFontInfo->lastRow ||
+ pFontInfo->lastCol-pFontInfo->firstCol > 255) goto Bail;
nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) *
(pFontInfo->lastRow - pFontInfo->firstRow + 1);
|
