Upgraded to freetype 2.5.5

1 files changed, 9 insertions, 3 deletions

diff --git a/freetype/src/sfnt/ttload.c b/freetype/src/sfnt/ttload.c
index 0a3cd29db..8338150ab 100644
--- a/freetype/src/sfnt/ttload.c
+++ b/freetype/src/sfnt/ttload.c
@@ -5,7 +5,7 @@
 /*    Load the basic TrueType tables, i.e., tables that can be either in   */
 /*    TTF or OTF fonts (body).                                             */
 /*                                                                         */
-/*  Copyright 1996-2010, 2012, 2013 by                                     */
+/*  Copyright 1996-2010, 2012-2014 by                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -207,7 +207,10 @@
       }
 
       /* we ignore invalid tables */
-      if ( table.Offset + table.Length > stream->size )
+
+      /* table.Offset + table.Length > stream->size ? */
+      if ( table.Length > stream->size                ||
+           table.Offset > stream->size - table.Length )
       {
         FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
         continue;
@@ -395,7 +398,10 @@
       entry->Length   = FT_GET_ULONG();
 
       /* ignore invalid tables */
-      if ( entry->Offset + entry->Length > stream->size )
+
+      /* entry->Offset + entry->Length > stream->size ? */
+      if ( entry->Length > stream->size                 ||
+           entry->Offset > stream->size - entry->Length )
         continue;
       else
       {