Avast: integer overflow verifying numFonts in TTC Header

[GoogleCodeExporter]

If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an 
integer overflow occurs in filevirus_ttf() when calling 
CSafeGenFile::SafeLockBuffer.

The TTC file format is described here 
https://www.microsoft.com/typography/otspec/otff.htm

The attached testcase has password "infected".

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 1 Oct 2015 at 4:20

Attachments:

• a0eee768acb56254727d3171e5789cb5.zip

[GoogleCodeExporter]

This issue appears to be resolved.

Original comment by tav...@google.com on 9 Dec 2015 at 8:17

• Changed state: Fixed
• Removed labels: Restrict-View-Commit