* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer

overflow.

* src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input.
Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work
in case of failure.

* src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals.
(tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after
frame test.

* src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for
`flag'.

ChangeLog

@@ -1,3 +1,19 @@
+2004-10-11  Joshua Neal  <jneal@csdaily.com>
+
+	* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer
+	overflow.
+
+	* src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input.
+	Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work
+	in case of failure.
+
+	* src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals.
+	(tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after
+	frame test.
+
+	* src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for
+	`flag'.
+
 2004-10-09  Werner Lemberg  <wl@gnu.org>
 
 	* docs/CHANGES: Updated.

src/sfnt/ttcmap.c

@@ -1935,7 +1935,9 @@
       charmap.encoding    = FT_ENCODING_NONE;  /* will be filled later */
       offset              = TT_NEXT_ULONG( p );
 
-      if ( offset && table + offset + 2 < limit )
+      if ( offset                     &&
+           table + offset + 2 < limit &&
+           table + offset >= table    )
       {
         FT_Byte*                       cmap   = table + offset;
         volatile FT_UInt               format = TT_PEEK_USHORT( cmap );

src/sfnt/ttload.c

@@ -1842,16 +1842,21 @@
 
     FT_FRAME_EXIT();
 
+    if ( record_size < 0 || num_records < 0 )
+      return SFNT_Err_Invalid_File_Format;
+
     /* Only recognize format 0 */
     if ( hdmx->version != 0 )
       goto Exit;
 
-    if ( FT_QNEW_ARRAY( hdmx->records, num_records ) )
+    /* we can't use FT_QNEW_ARRAY here; otherwise tt_face_free_hdmx */
+    /* could fail during deallocation                               */
+    if ( FT_NEW_ARRAY( hdmx->records, num_records ) )
       goto Exit;
 
     hdmx->num_records = num_records;
-    num_glyphs   = face->root.num_glyphs;
-    record_size -= num_glyphs + 2;
+    num_glyphs        = face->root.num_glyphs;
+    record_size      -= num_glyphs + 2;
 
     {
       TT_HdmxEntry  cur   = hdmx->records;
@@ -1871,7 +1876,7 @@
 
         /* skip padding bytes */
         if ( record_size > 0 && FT_STREAM_SKIP( record_size ) )
-            goto Exit;
+          goto Exit;
       }
     }
 

src/sfnt/ttsbit.c

@@ -334,6 +334,13 @@
         FT_Bool   large = FT_BOOL( range->index_format == 1 );
 
 
+
+        if ( range->last_glyph < range->first_glyph )
+        {
+          error = SFNT_Err_Invalid_File_Format;
+          goto Exit;
+        }
+
         num_glyphs        = range->last_glyph - range->first_glyph + 1L;
         range->num_glyphs = num_glyphs;
         num_glyphs++;                       /* XXX: BEWARE - see spec */
@@ -519,14 +526,14 @@
         FT_ULong       count2 = strike->num_ranges;
 
 
-        if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
-          goto Exit;
-
         /* read each range */
         if ( FT_STREAM_SEEK( table_base + strike->ranges_offset ) ||
              FT_FRAME_ENTER( strike->num_ranges * 8L )            )
           goto Exit;
 
+        if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
+          goto Exit;
+
         range = strike->sbit_ranges;
         while ( count2 > 0 )
         {

src/truetype/ttgload.c

@@ -426,6 +426,8 @@
     flag       = (FT_Byte*)outline->tags;
     flag_limit = flag + n_points;
 
+    FT_ASSERT( flag != NULL );
+
     while ( flag < flag_limit )
     {
       if ( --byte_len < 0 )