Minor fixes.

* src/cff/cffload.c (cff_charset_compute_cids): `charset->sids[i]'
is `FT_UShort'.
(cff_index_access_element): Don't use additions in comparison.
* src/sfnt/ttpost.c (load_format_20): Make `post_limit' of type
`FT_Long'.
Don't use additions in comparison.
Improve tracing messages.
(load_format_25, load_post_names): Make `post_limit' of type
`FT_Long'.
This commit is contained in:
Werner Lemberg 2010-09-19 20:51:19 +02:00
parent 73aa20ca1d
commit d38ba0c92d
3 changed files with 70 additions and 51 deletions

View File

@ -1,13 +1,27 @@
2010-09-19 Werner Lemberg <wl@gnu.org>
Minor fixes.
* src/cff/cffload.c (cff_charset_compute_cids): `charset->sids[i]'
is `FT_UShort'.
(cff_index_access_element): Don't use additions in comparison.
* src/sfnt/ttpost.c (load_format_20): Make `post_limit' of type
`FT_Long'.
Don't use additions in comparison.
Improve tracing messages.
(load_format_25, load_post_names): Make `post_limit' of type
`FT_Long'.
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[cff] Truncate the element length at the end of the stream.
See Savannah bug #30975.
* src/cff/cffload.c (cff_index_access_element): `off2', the
offset to the next element is truncated at the end of the
stream to prevent invalid I/O. As `off1', the offset to the
requested element has been checked by FT_STREAM_SEEK(),
`off2' should be checked similarly.
* src/cff/cffload.c (cff_index_access_element): `off2', the offset
to the next element is truncated at the end of the stream to prevent
invalid I/O. As `off1', the offset to the requested element has
been checked by FT_STREAM_SEEK(), `off2' should be checked
similarly.
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
@ -15,17 +29,17 @@
See Savannah bug #30975.
* src/cff/cffload.c (cff_charset_compute_cids): Ignore CID if
greater than 0xFFFFU. CFF font spec does not mention about
maximum CID in the font, but PostScript and PDF spec define
that maximum CID is 0xFFFFU.
greater than 0xFFFFU. CFF font spec does not mention maximum CID in
the font, but PostScript and PDF spec define that maximum CID is
0xFFFFU.
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[cff] Make trace message in cff_charset_load() verbose.
See Savannah bug #30975.
* src/cff/cffload.c (cff_charset_load): Report the original
`nleft' and truncated `nleft'.
* src/cff/cffload.c (cff_charset_load): Report the original `nleft'
and truncated `nleft'.
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
@ -33,45 +47,47 @@
See Savannah bug #30975.
* src/cff/cffload.c (cff_charset_compute_cids): Don't increment
max_cid after detecting max CID. The array CFF_Charset->cids
is allocated by max_cid + 1.
(cff_charset_cid_to_gindex): Permit CID is less than or equal
to CFF_Charset->max_cid.
max_cid after detecting max CID. The array CFF_Charset->cids is
allocated by max_cid + 1.
(cff_charset_cid_to_gindex): Permit CID is less than or equal to
CFF_Charset->max_cid.
* src/cff/cffobjs.c (cff_face_init): FT_Face->num_glyphs is
calculated as CFF_Charset->max_cid + 1.
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[truetype] Sanitize the broken offsets in `loca'.
See Savannah bug #31040.
* src/truetype/ttpload.c (tt_face_get_location): If `pos1', the
offset to the requested entry in `glyf' exceeds the end of the
table, return offset=0, length=0. If `pos2', the offset to the
next entry in `glyf' exceeds the end of the table, truncate
the entry length at the end of `glyf' table.
See Savannah bug #31040.
table, return offset=0, length=0. If `pos2', the offset to the next
entry in `glyf' exceeds the end of the table, truncate the entry
length at the end of `glyf' table.
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[sfnt] Prevent overrunning in `post' table parser.
See Savannah bug #31040.
* src/sfnt/ttpost.c (load_post_names): Get the length of
`post' table and pass the limit of `post' table to
load_format_20() and load_format_25().
(load_format_20): Stop the parsing when we reached at the
limit of `post' table. If more glyph names are required,
they are filled by NULL names. See Savannah bug #31040.
* src/sfnt/ttpost.c (load_post_names): Get the length of `post'
table and pass the limit of `post' table to load_format_20() and
load_format_25().
(load_format_20): Stop the parsing when we reached at the limit of
`post' table. If more glyph names are required, they are filled by
NULL names.
2010-09-17 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[truetype] Don't duplicate size->twilight structure to be freed.
See Savannah bug #31040 for detail.
* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
FT_GlyphZoneRec size->twilight to be freed. If duplicated,
FT_FREE() erases the duplicated pointers only and leave original
pointers. They can cause the double-free crash when the burst
errors occur in TrueType interpreter and free_buffer_in_size()
is invoked repeatedly. See Savannah bug #31040 for detail.
errors occur in TrueType interpreter and free_buffer_in_size() is
invoked repeatedly.
2010-09-15 Werner Lemberg <wl@gnu.org>

View File

@ -519,9 +519,10 @@
}
}
/* XXX: should check off2 does not exceed the end of this entry */
/* at present, only truncate off 2 at the end of this stream */
if ( idx->data_offset + off2 - 1 > stream->size )
/* XXX: should check off2 does not exceed the end of this entry; */
/* at present, only truncate off2 at the end of this stream */
if ( off2 > stream->size + 1 ||
idx->data_offset > stream->size - off2 + 1 )
{
FT_ERROR(( "cff_index_access_element:"
" offset to next entry (%d)"
@ -791,16 +792,11 @@
for ( i = 0; i < num_glyphs; i++ )
{
if ( charset->sids[i] > 0xFFFFU )
FT_ERROR(( "cff_charset_compute_cids():"
" ignore CID (0x%lx) for SID (0x%lx),"
" greater than PS/PDF spec\n",
charset->sids[i], i ));
else if ( charset->sids[i] > max_cid )
if ( charset->sids[i] > max_cid )
max_cid = charset->sids[i];
}
if ( FT_NEW_ARRAY( charset->cids, max_cid + 1 ) )
if ( FT_NEW_ARRAY( charset->cids, (FT_ULong)max_cid + 1 ) )
goto Exit;
/* When multiple GIDs map to the same CID, we choose the lowest */

View File

@ -5,7 +5,7 @@
/* Postcript name table processing for TrueType and OpenType fonts */
/* (body). */
/* */
/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009 by */
/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -154,7 +154,7 @@
static FT_Error
load_format_20( TT_Face face,
FT_Stream stream,
FT_ULong post_limit )
FT_Long post_limit )
{
FT_Memory memory = stream->memory;
FT_Error error;
@ -231,30 +231,34 @@
FT_UInt len;
FT_TRACE7(( "load_format_20: %d byte left in post table\n",
post_limit - FT_STREAM_POS() ));
if ( FT_STREAM_POS() >= post_limit )
{
FT_ERROR(( "load_format_20:"
" all entries in post table is already parsed,"
" put NULL name for gid=%d\n", n ));
" all entries in post table are already parsed,"
" using NULL for gid %d\n", n ));
len = 0;
}
else if ( FT_READ_BYTE( len ) )
goto Fail1;
else
{
FT_TRACE6(( "load_format_20: %d byte left in post table\n",
post_limit - FT_STREAM_POS() ));
if ( len > 0 && FT_STREAM_POS() + len > post_limit )
if ( FT_READ_BYTE( len ) )
goto Fail1;
}
if ( (FT_Int)len > post_limit ||
FT_STREAM_POS() > post_limit - (FT_Int)len )
{
FT_ERROR(( "load_format_20:"
" too large string length (%d)"
" truncate at the end of post table (%d byte left)\n",
" exceeding string length (%d),"
" truncating at end of post table (%d byte left)\n",
len, post_limit - FT_STREAM_POS() ));
len = FT_MAX( 0, post_limit - FT_STREAM_POS() );
}
if ( FT_NEW_ARRAY( name_strings[n], len + 1 ) ||
FT_STREAM_READ ( name_strings[n], len ) )
FT_STREAM_READ( name_strings[n], len ) )
goto Fail1;
name_strings[n][len] = '\0';
@ -294,7 +298,7 @@
static FT_Error
load_format_25( TT_Face face,
FT_Stream stream,
FT_ULong post_limit )
FT_Long post_limit )
{
FT_Memory memory = stream->memory;
FT_Error error;
@ -302,6 +306,8 @@
FT_Int num_glyphs;
FT_Char* offset_table = 0;
FT_UNUSED( post_limit );
/* UNDOCUMENTED! This value appears only in the Apple TT specs. */
if ( FT_READ_USHORT( num_glyphs ) )
@ -361,7 +367,8 @@
FT_Stream stream;
FT_Error error;
FT_Fixed format;
FT_ULong post_len, post_limit;
FT_ULong post_len;
FT_Long post_limit;
/* get a stream for the face's resource */