* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer

overflow.

* src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input.
Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work
in case of failure.

* src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals.
(tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after
frame test.

* src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for
`flag'.
This commit is contained in:
Werner Lemberg 2004-10-13 05:15:44 +00:00
parent 33febc0fb2
commit 685dd4f7b8
5 changed files with 40 additions and 8 deletions

View File

@ -1,3 +1,19 @@
2004-10-11 Joshua Neal <jneal@csdaily.com>
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer
overflow.
* src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input.
Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work
in case of failure.
* src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals.
(tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after
frame test.
* src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for
`flag'.
2004-10-09 Werner Lemberg <wl@gnu.org> 2004-10-09 Werner Lemberg <wl@gnu.org>
* docs/CHANGES: Updated. * docs/CHANGES: Updated.

View File

@ -1935,7 +1935,9 @@
charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ charmap.encoding = FT_ENCODING_NONE; /* will be filled later */
offset = TT_NEXT_ULONG( p ); offset = TT_NEXT_ULONG( p );
if ( offset && table + offset + 2 < limit ) if ( offset &&
table + offset + 2 < limit &&
table + offset >= table )
{ {
FT_Byte* cmap = table + offset; FT_Byte* cmap = table + offset;
volatile FT_UInt format = TT_PEEK_USHORT( cmap ); volatile FT_UInt format = TT_PEEK_USHORT( cmap );

View File

@ -1842,16 +1842,21 @@
FT_FRAME_EXIT(); FT_FRAME_EXIT();
if ( record_size < 0 || num_records < 0 )
return SFNT_Err_Invalid_File_Format;
/* Only recognize format 0 */ /* Only recognize format 0 */
if ( hdmx->version != 0 ) if ( hdmx->version != 0 )
goto Exit; goto Exit;
if ( FT_QNEW_ARRAY( hdmx->records, num_records ) ) /* we can't use FT_QNEW_ARRAY here; otherwise tt_face_free_hdmx */
/* could fail during deallocation */
if ( FT_NEW_ARRAY( hdmx->records, num_records ) )
goto Exit; goto Exit;
hdmx->num_records = num_records; hdmx->num_records = num_records;
num_glyphs = face->root.num_glyphs; num_glyphs = face->root.num_glyphs;
record_size -= num_glyphs + 2; record_size -= num_glyphs + 2;
{ {
TT_HdmxEntry cur = hdmx->records; TT_HdmxEntry cur = hdmx->records;
@ -1871,7 +1876,7 @@
/* skip padding bytes */ /* skip padding bytes */
if ( record_size > 0 && FT_STREAM_SKIP( record_size ) ) if ( record_size > 0 && FT_STREAM_SKIP( record_size ) )
goto Exit; goto Exit;
} }
} }

View File

@ -334,6 +334,13 @@
FT_Bool large = FT_BOOL( range->index_format == 1 ); FT_Bool large = FT_BOOL( range->index_format == 1 );
if ( range->last_glyph < range->first_glyph )
{
error = SFNT_Err_Invalid_File_Format;
goto Exit;
}
num_glyphs = range->last_glyph - range->first_glyph + 1L; num_glyphs = range->last_glyph - range->first_glyph + 1L;
range->num_glyphs = num_glyphs; range->num_glyphs = num_glyphs;
num_glyphs++; /* XXX: BEWARE - see spec */ num_glyphs++; /* XXX: BEWARE - see spec */
@ -519,14 +526,14 @@
FT_ULong count2 = strike->num_ranges; FT_ULong count2 = strike->num_ranges;
if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
goto Exit;
/* read each range */ /* read each range */
if ( FT_STREAM_SEEK( table_base + strike->ranges_offset ) || if ( FT_STREAM_SEEK( table_base + strike->ranges_offset ) ||
FT_FRAME_ENTER( strike->num_ranges * 8L ) ) FT_FRAME_ENTER( strike->num_ranges * 8L ) )
goto Exit; goto Exit;
if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
goto Exit;
range = strike->sbit_ranges; range = strike->sbit_ranges;
while ( count2 > 0 ) while ( count2 > 0 )
{ {

View File

@ -426,6 +426,8 @@
flag = (FT_Byte*)outline->tags; flag = (FT_Byte*)outline->tags;
flag_limit = flag + n_points; flag_limit = flag + n_points;
FT_ASSERT( flag != NULL );
while ( flag < flag_limit ) while ( flag < flag_limit )
{ {
if ( --byte_len < 0 ) if ( --byte_len < 0 )