* src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128

gracefully.
(_bdf_set_default_spacing): Increase `name' buffer size to 256 and
issue an error for longer names.
(_bdf_parse_glyphs): Limit allowed number of glyphs in font to the
number of code points in Unicode.

ChangeLog

@@ -1,20 +1,30 @@
+2007-03-28  Werner Lemberg  <wl@gnu.org>
+
+	* src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128
+	gracefully.
+	(_bdf_set_default_spacing): Increase `name' buffer size to 256 and
+	issue an error for longer names.
+	(_bdf_parse_glyphs): Limit allowed number of glyphs in font to the
+	number of code points in Unicode.
+
 2007-03-26  David Turner  <david@freetype.org>
 
-	* src/truetype/ttinterp.c: last fix for the MD instruction bytecode and
-	remove the FIX_BYTECODE macros from the sources. Woot, this looks good.
+	* src/truetype/ttinterp.c: Last fix for the `MD' instruction
+	bytecode and remove the FIX_BYTECODE macros from the sources.
 
-	* src/autofit/aflatin.c (af_latin_metrics_init_blues): fix blues computations
-	in order to ignore 1-point contours. These are never rasterized and in certain
-	fonts correspond to mark-attach points that are very far from the glyph's
-	real outline, ruining the computation.
+	* src/autofit/aflatin.c (af_latin_metrics_init_blues): Fix blues
+	computations in order to ignore 1-point contours.  These are never
+	rasterized and correspond in certain fonts mark-attach points that
+	are very far from the glyph's real outline, ruining the computation.
 
-	* src/autofit/afloader.c (af_loader_load_g): in the case of monospaced fonts,
-	always set "rsb_delta" and "lsb_delta" to 0. Otherwise code that uses them
-	will most certainly ruin the fixed advance property.
+	* src/autofit/afloader.c (af_loader_load_g): In the case of
+	monospaced fonts, always set `rsb_delta' and `lsb_delta' to 0. 
+	Otherwise code that uses them will most certainly ruin the fixed
+	advance property.
 
-	* docs/CHANGES, docs/VERSION, include/freetype/freetype.h, 
-	builds/unix/configure.raw, README, Jamfile: update documentation and bump version
-	number to 2.3.3
+	* docs/CHANGES, docs/VERSION, include/freetype/freetype.h,
+	builds/unix/configure.raw, README, Jamfile: Update documentation and
+	bump version number to 2.3.3.
 
 2007-03-26  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 

src/bdf/bdflib.c

@@ -385,8 +385,10 @@
   } _bdf_parse_t;
 
 
-#define setsbit( m, cc )  ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
-#define sbitset( m, cc )  ( m[(cc) >> 3]  & ( 1 << ( (cc) & 7 ) ) )
+#define setsbit( m, cc ) \
+          ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
+#define sbitset( m, cc ) \
+          ( m[(FT_Byte)(cc) >> 3]  & ( 1 << ( (cc) & 7 ) ) )
 
 
   static void
@@ -1130,7 +1132,7 @@
                             bdf_options_t*  opts )
   {
     unsigned long  len;
-    char           name[128];
+    char           name[256];
     _bdf_list_t    list;
     FT_Memory      memory;
     FT_Error       error = BDF_Err_Ok;
@@ -1149,6 +1151,13 @@
     font->spacing = opts->font_spacing;
 
     len = (unsigned long)( ft_strlen( font->name ) + 1 );
+    /* Limit ourselves to 256 characters in the font name. */
+    if ( len >= 256 )
+    {
+      error = BDF_Err_Invalid_Argument;
+      goto Exit;
+    }
+
     FT_MEM_COPY( name, font->name, len );
 
     error = _bdf_list_split( &list, (char *)"-", name, len );
@@ -1467,6 +1476,14 @@
       if ( p->cnt == 0 )
         font->glyphs_size = 64;
 
+      /* Limit ourselves to 1,114,112 glyphs in the font (this is the */
+      /* number of code points available in Unicode).                 */
+      if ( p->cnt >= 1114112UL )
+      {
+        error = BDF_Err_Invalid_Argument;
+        goto Exit;
+      }
+
       if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) )
         goto Exit;