From 3ec0872f35d8ab79d07127c3e7be5f08977c2394 Mon Sep 17 00:00:00 2001
From: Masamichi Hosoda <trueroad@trueroad.jp>
Date: Thu, 27 Oct 2016 23:57:43 +0900
Subject: [PATCH] Issue 4989/3: Add a guard against invalid Type 1 (PFB) font

This commit makes LilyPond can detect invalid Type1 (PFB) font.
---
 lily/pfb.cc | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/lily/pfb.cc b/lily/pfb.cc
index 4f371c6c94..101f4f0fc6 100644
--- a/lily/pfb.cc
+++ b/lily/pfb.cc
@@ -24,6 +24,7 @@
 #include <sstream>
 using namespace std;
 
+#include "international.hh"
 #include "program-option.hh"
 #include "source-file.hh"
 #include "memory-stream.hh"
@@ -40,7 +41,10 @@ pfb2pfa (const vector<char> &pfb)
   while (p < pfb.end ())
     {
       if (static_cast<Byte>(*p++) != 128)
-        break;
+        {
+          error (_ ("Segment header of the Type 1 (PFB) font is broken."));
+          break;
+        }
 
       Byte type = static_cast<Byte>(*p++);
       if (type == 3)
@@ -50,6 +54,11 @@ pfb2pfa (const vector<char> &pfb)
       seglen |= (static_cast<Byte>(*p++) << 8);
       seglen |= (static_cast<Byte>(*p++) << 16);
       seglen |= (static_cast<Byte>(*p++) << 24);
+      if ((p + seglen) > pfb.end ())
+        {
+          error (_ ("Segment length of the Type 1 (PFB) font is too long."));
+          break;
+        }
 
       if (type == 1)
         {
@@ -72,6 +81,11 @@ pfb2pfa (const vector<char> &pfb)
           string str = ss.str ();
           copy (str.begin (), str.end (), back_inserter (out));
         }
+      else
+        {
+          error (_ ("Segment type of the Type 1 (PFB) font is unknown."));
+          break;
+        }
     }
 
   return out;
-- 
2.39.2