* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer
overflow. * src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input. Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work in case of failure. * src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals. (tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after frame test. * src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for `flag'.
This commit is contained in:
parent
33febc0fb2
commit
685dd4f7b8
16
ChangeLog
16
ChangeLog
|
@ -1,3 +1,19 @@
|
|||
2004-10-11 Joshua Neal <jneal@csdaily.com>
|
||||
|
||||
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer
|
||||
overflow.
|
||||
|
||||
* src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input.
|
||||
Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work
|
||||
in case of failure.
|
||||
|
||||
* src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals.
|
||||
(tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after
|
||||
frame test.
|
||||
|
||||
* src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for
|
||||
`flag'.
|
||||
|
||||
2004-10-09 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
* docs/CHANGES: Updated.
|
||||
|
|
|
@ -1935,7 +1935,9 @@
|
|||
charmap.encoding = FT_ENCODING_NONE; /* will be filled later */
|
||||
offset = TT_NEXT_ULONG( p );
|
||||
|
||||
if ( offset && table + offset + 2 < limit )
|
||||
if ( offset &&
|
||||
table + offset + 2 < limit &&
|
||||
table + offset >= table )
|
||||
{
|
||||
FT_Byte* cmap = table + offset;
|
||||
volatile FT_UInt format = TT_PEEK_USHORT( cmap );
|
||||
|
|
|
@ -1842,16 +1842,21 @@
|
|||
|
||||
FT_FRAME_EXIT();
|
||||
|
||||
if ( record_size < 0 || num_records < 0 )
|
||||
return SFNT_Err_Invalid_File_Format;
|
||||
|
||||
/* Only recognize format 0 */
|
||||
if ( hdmx->version != 0 )
|
||||
goto Exit;
|
||||
|
||||
if ( FT_QNEW_ARRAY( hdmx->records, num_records ) )
|
||||
/* we can't use FT_QNEW_ARRAY here; otherwise tt_face_free_hdmx */
|
||||
/* could fail during deallocation */
|
||||
if ( FT_NEW_ARRAY( hdmx->records, num_records ) )
|
||||
goto Exit;
|
||||
|
||||
hdmx->num_records = num_records;
|
||||
num_glyphs = face->root.num_glyphs;
|
||||
record_size -= num_glyphs + 2;
|
||||
num_glyphs = face->root.num_glyphs;
|
||||
record_size -= num_glyphs + 2;
|
||||
|
||||
{
|
||||
TT_HdmxEntry cur = hdmx->records;
|
||||
|
@ -1871,7 +1876,7 @@
|
|||
|
||||
/* skip padding bytes */
|
||||
if ( record_size > 0 && FT_STREAM_SKIP( record_size ) )
|
||||
goto Exit;
|
||||
goto Exit;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -334,6 +334,13 @@
|
|||
FT_Bool large = FT_BOOL( range->index_format == 1 );
|
||||
|
||||
|
||||
|
||||
if ( range->last_glyph < range->first_glyph )
|
||||
{
|
||||
error = SFNT_Err_Invalid_File_Format;
|
||||
goto Exit;
|
||||
}
|
||||
|
||||
num_glyphs = range->last_glyph - range->first_glyph + 1L;
|
||||
range->num_glyphs = num_glyphs;
|
||||
num_glyphs++; /* XXX: BEWARE - see spec */
|
||||
|
@ -519,14 +526,14 @@
|
|||
FT_ULong count2 = strike->num_ranges;
|
||||
|
||||
|
||||
if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
|
||||
goto Exit;
|
||||
|
||||
/* read each range */
|
||||
if ( FT_STREAM_SEEK( table_base + strike->ranges_offset ) ||
|
||||
FT_FRAME_ENTER( strike->num_ranges * 8L ) )
|
||||
goto Exit;
|
||||
|
||||
if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
|
||||
goto Exit;
|
||||
|
||||
range = strike->sbit_ranges;
|
||||
while ( count2 > 0 )
|
||||
{
|
||||
|
|
|
@ -426,6 +426,8 @@
|
|||
flag = (FT_Byte*)outline->tags;
|
||||
flag_limit = flag + n_points;
|
||||
|
||||
FT_ASSERT( flag != NULL );
|
||||
|
||||
while ( flag < flag_limit )
|
||||
{
|
||||
if ( --byte_len < 0 )
|
||||
|
|
Loading…
Reference in New Issue