diff --git a/ChangeLog b/ChangeLog index 8b8b6c2c2..cfc74cc0a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,21 @@ +2011-10-01 Braden Thomas + + Handle some border cases. + + * include/freetype/config/ftstdlib.h (FT_USHORT_MAX): New macro. + + * src/base/ftbitmap.c (FT_Bitmap_Convert): Protect against invalid + value of `target->rows'. + + * src/psaux/t1decode.c (t1_decoder_parse_charstrings): Add check for + flex start. + + * src/raster/ftrend1.c (ft_raster1_render): Check `width' and + `height'. + + * src/truetype/ttgxvar.c (TT_Vary_Get_Glyph_Deltas): Protect against + invalid values in `localpoints' array. + 2011-10-01 Werner Lemberg [psnames] Handle zapfdingbats. diff --git a/include/freetype/config/ftstdlib.h b/include/freetype/config/ftstdlib.h index 30ec14e74..11d5d0e65 100644 --- a/include/freetype/config/ftstdlib.h +++ b/include/freetype/config/ftstdlib.h @@ -5,7 +5,7 @@ /* ANSI-specific library and header configuration file (specification */ /* only). */ /* */ -/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2009 by */ +/* Copyright 2002-2007, 2009, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -59,11 +59,12 @@ #include -#define FT_CHAR_BIT CHAR_BIT -#define FT_INT_MAX INT_MAX -#define FT_INT_MIN INT_MIN -#define FT_UINT_MAX UINT_MAX -#define FT_ULONG_MAX ULONG_MAX +#define FT_CHAR_BIT CHAR_BIT +#define FT_USHORT_MAX USHRT_MAX +#define FT_INT_MAX INT_MAX +#define FT_INT_MIN INT_MIN +#define FT_UINT_MAX UINT_MAX +#define FT_ULONG_MAX ULONG_MAX /**********************************************************************/ diff --git a/src/base/ftbitmap.c b/src/base/ftbitmap.c index 22ec33752..5ef7ac760 100644 --- a/src/base/ftbitmap.c +++ b/src/base/ftbitmap.c @@ -4,7 +4,7 @@ /* */ /* FreeType utility functions for bitmaps (body). */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2004-2009, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -417,6 +417,10 @@ target->pitch = source->width + pad; + if ( target->pitch > 0 && + target->rows > FT_ULONG_MAX / target->pitch ) + return FT_Err_Invalid_Argument; + if ( target->rows * target->pitch > old_size && FT_QREALLOC( target->buffer, old_size, target->rows * target->pitch ) ) diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c index 90874f022..b3ccbdde0 100644 --- a/src/psaux/t1decode.c +++ b/src/psaux/t1decode.c @@ -764,6 +764,13 @@ if ( arg_cnt != 0 ) goto Unexpected_OtherSubr; + if ( decoder->flex_state == 0 ) + { + FT_ERROR(( "t1_decoder_parse_charstrings:" + " missing flex start\n" )); + goto Syntax_Error; + } + /* note that we should not add a point for index 0; */ /* this will move our current position to the flex */ /* point without adding any point to the outline */ diff --git a/src/raster/ftrend1.c b/src/raster/ftrend1.c index d8a89f28a..28b1b5897 100644 --- a/src/raster/ftrend1.c +++ b/src/raster/ftrend1.c @@ -4,7 +4,7 @@ /* */ /* The FreeType glyph rasterizer interface (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2005, 2006 by */ +/* Copyright 1996-2003, 2005, 2006, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -176,6 +176,13 @@ width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 ); height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); + + if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX ) + { + error = Raster_Err_Invalid_Argument; + goto Exit; + } + bitmap = &slot->bitmap; memory = render->root.memory; diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index 37bbe6d2e..69b702f62 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -4,7 +4,7 @@ /* */ /* TrueType GX Font Variation loader */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ +/* Copyright 2004-2011 by */ /* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -1474,6 +1474,9 @@ { for ( j = 0; j < point_count; ++j ) { + if ( localpoints[j] >= n_points ) + continue; + delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply ); delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply ); }