Minor fixes.
* src/cff/cffload.c (cff_charset_compute_cids): `charset->sids[i]' is `FT_UShort'. (cff_index_access_element): Don't use additions in comparison. * src/sfnt/ttpost.c (load_format_20): Make `post_limit' of type `FT_Long'. Don't use additions in comparison. Improve tracing messages. (load_format_25, load_post_names): Make `post_limit' of type `FT_Long'.
This commit is contained in:
parent
73aa20ca1d
commit
d38ba0c92d
68
ChangeLog
68
ChangeLog
|
@ -1,13 +1,27 @@
|
|||
2010-09-19 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
Minor fixes.
|
||||
|
||||
* src/cff/cffload.c (cff_charset_compute_cids): `charset->sids[i]'
|
||||
is `FT_UShort'.
|
||||
(cff_index_access_element): Don't use additions in comparison.
|
||||
* src/sfnt/ttpost.c (load_format_20): Make `post_limit' of type
|
||||
`FT_Long'.
|
||||
Don't use additions in comparison.
|
||||
Improve tracing messages.
|
||||
(load_format_25, load_post_names): Make `post_limit' of type
|
||||
`FT_Long'.
|
||||
|
||||
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
[cff] Truncate the element length at the end of the stream.
|
||||
See Savannah bug #30975.
|
||||
|
||||
* src/cff/cffload.c (cff_index_access_element): `off2', the
|
||||
offset to the next element is truncated at the end of the
|
||||
stream to prevent invalid I/O. As `off1', the offset to the
|
||||
requested element has been checked by FT_STREAM_SEEK(),
|
||||
`off2' should be checked similarly.
|
||||
* src/cff/cffload.c (cff_index_access_element): `off2', the offset
|
||||
to the next element is truncated at the end of the stream to prevent
|
||||
invalid I/O. As `off1', the offset to the requested element has
|
||||
been checked by FT_STREAM_SEEK(), `off2' should be checked
|
||||
similarly.
|
||||
|
||||
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
|
@ -15,17 +29,17 @@
|
|||
See Savannah bug #30975.
|
||||
|
||||
* src/cff/cffload.c (cff_charset_compute_cids): Ignore CID if
|
||||
greater than 0xFFFFU. CFF font spec does not mention about
|
||||
maximum CID in the font, but PostScript and PDF spec define
|
||||
that maximum CID is 0xFFFFU.
|
||||
greater than 0xFFFFU. CFF font spec does not mention maximum CID in
|
||||
the font, but PostScript and PDF spec define that maximum CID is
|
||||
0xFFFFU.
|
||||
|
||||
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
[cff] Make trace message in cff_charset_load() verbose.
|
||||
See Savannah bug #30975.
|
||||
|
||||
* src/cff/cffload.c (cff_charset_load): Report the original
|
||||
`nleft' and truncated `nleft'.
|
||||
* src/cff/cffload.c (cff_charset_load): Report the original `nleft'
|
||||
and truncated `nleft'.
|
||||
|
||||
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
|
@ -33,45 +47,47 @@
|
|||
See Savannah bug #30975.
|
||||
|
||||
* src/cff/cffload.c (cff_charset_compute_cids): Don't increment
|
||||
max_cid after detecting max CID. The array CFF_Charset->cids
|
||||
is allocated by max_cid + 1.
|
||||
(cff_charset_cid_to_gindex): Permit CID is less than or equal
|
||||
to CFF_Charset->max_cid.
|
||||
max_cid after detecting max CID. The array CFF_Charset->cids is
|
||||
allocated by max_cid + 1.
|
||||
(cff_charset_cid_to_gindex): Permit CID is less than or equal to
|
||||
CFF_Charset->max_cid.
|
||||
* src/cff/cffobjs.c (cff_face_init): FT_Face->num_glyphs is
|
||||
calculated as CFF_Charset->max_cid + 1.
|
||||
|
||||
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
[truetype] Sanitize the broken offsets in `loca'.
|
||||
See Savannah bug #31040.
|
||||
|
||||
* src/truetype/ttpload.c (tt_face_get_location): If `pos1', the
|
||||
offset to the requested entry in `glyf' exceeds the end of the
|
||||
table, return offset=0, length=0. If `pos2', the offset to the
|
||||
next entry in `glyf' exceeds the end of the table, truncate
|
||||
the entry length at the end of `glyf' table.
|
||||
See Savannah bug #31040.
|
||||
table, return offset=0, length=0. If `pos2', the offset to the next
|
||||
entry in `glyf' exceeds the end of the table, truncate the entry
|
||||
length at the end of `glyf' table.
|
||||
|
||||
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
[sfnt] Prevent overrunning in `post' table parser.
|
||||
See Savannah bug #31040.
|
||||
|
||||
* src/sfnt/ttpost.c (load_post_names): Get the length of
|
||||
`post' table and pass the limit of `post' table to
|
||||
load_format_20() and load_format_25().
|
||||
(load_format_20): Stop the parsing when we reached at the
|
||||
limit of `post' table. If more glyph names are required,
|
||||
they are filled by NULL names. See Savannah bug #31040.
|
||||
* src/sfnt/ttpost.c (load_post_names): Get the length of `post'
|
||||
table and pass the limit of `post' table to load_format_20() and
|
||||
load_format_25().
|
||||
(load_format_20): Stop the parsing when we reached at the limit of
|
||||
`post' table. If more glyph names are required, they are filled by
|
||||
NULL names.
|
||||
|
||||
2010-09-17 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
[truetype] Don't duplicate size->twilight structure to be freed.
|
||||
See Savannah bug #31040 for detail.
|
||||
|
||||
* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
|
||||
FT_GlyphZoneRec size->twilight to be freed. If duplicated,
|
||||
FT_FREE() erases the duplicated pointers only and leave original
|
||||
pointers. They can cause the double-free crash when the burst
|
||||
errors occur in TrueType interpreter and free_buffer_in_size()
|
||||
is invoked repeatedly. See Savannah bug #31040 for detail.
|
||||
errors occur in TrueType interpreter and free_buffer_in_size() is
|
||||
invoked repeatedly.
|
||||
|
||||
2010-09-15 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
|
|
|
@ -519,9 +519,10 @@
|
|||
}
|
||||
}
|
||||
|
||||
/* XXX: should check off2 does not exceed the end of this entry */
|
||||
/* at present, only truncate off 2 at the end of this stream */
|
||||
if ( idx->data_offset + off2 - 1 > stream->size )
|
||||
/* XXX: should check off2 does not exceed the end of this entry; */
|
||||
/* at present, only truncate off2 at the end of this stream */
|
||||
if ( off2 > stream->size + 1 ||
|
||||
idx->data_offset > stream->size - off2 + 1 )
|
||||
{
|
||||
FT_ERROR(( "cff_index_access_element:"
|
||||
" offset to next entry (%d)"
|
||||
|
@ -791,16 +792,11 @@
|
|||
|
||||
for ( i = 0; i < num_glyphs; i++ )
|
||||
{
|
||||
if ( charset->sids[i] > 0xFFFFU )
|
||||
FT_ERROR(( "cff_charset_compute_cids():"
|
||||
" ignore CID (0x%lx) for SID (0x%lx),"
|
||||
" greater than PS/PDF spec\n",
|
||||
charset->sids[i], i ));
|
||||
else if ( charset->sids[i] > max_cid )
|
||||
if ( charset->sids[i] > max_cid )
|
||||
max_cid = charset->sids[i];
|
||||
}
|
||||
|
||||
if ( FT_NEW_ARRAY( charset->cids, max_cid + 1 ) )
|
||||
if ( FT_NEW_ARRAY( charset->cids, (FT_ULong)max_cid + 1 ) )
|
||||
goto Exit;
|
||||
|
||||
/* When multiple GIDs map to the same CID, we choose the lowest */
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
/* Postcript name table processing for TrueType and OpenType fonts */
|
||||
/* (body). */
|
||||
/* */
|
||||
/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009 by */
|
||||
/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009, 2010 by */
|
||||
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
|
||||
/* */
|
||||
/* This file is part of the FreeType project, and may only be used, */
|
||||
|
@ -154,7 +154,7 @@
|
|||
static FT_Error
|
||||
load_format_20( TT_Face face,
|
||||
FT_Stream stream,
|
||||
FT_ULong post_limit )
|
||||
FT_Long post_limit )
|
||||
{
|
||||
FT_Memory memory = stream->memory;
|
||||
FT_Error error;
|
||||
|
@ -231,30 +231,34 @@
|
|||
FT_UInt len;
|
||||
|
||||
|
||||
FT_TRACE7(( "load_format_20: %d byte left in post table\n",
|
||||
post_limit - FT_STREAM_POS() ));
|
||||
|
||||
if ( FT_STREAM_POS() >= post_limit )
|
||||
{
|
||||
FT_ERROR(( "load_format_20:"
|
||||
" all entries in post table is already parsed,"
|
||||
" put NULL name for gid=%d\n", n ));
|
||||
" all entries in post table are already parsed,"
|
||||
" using NULL for gid %d\n", n ));
|
||||
len = 0;
|
||||
}
|
||||
else if ( FT_READ_BYTE( len ) )
|
||||
goto Fail1;
|
||||
else
|
||||
{
|
||||
FT_TRACE6(( "load_format_20: %d byte left in post table\n",
|
||||
post_limit - FT_STREAM_POS() ));
|
||||
|
||||
if ( len > 0 && FT_STREAM_POS() + len > post_limit )
|
||||
if ( FT_READ_BYTE( len ) )
|
||||
goto Fail1;
|
||||
}
|
||||
|
||||
if ( (FT_Int)len > post_limit ||
|
||||
FT_STREAM_POS() > post_limit - (FT_Int)len )
|
||||
{
|
||||
FT_ERROR(( "load_format_20:"
|
||||
" too large string length (%d)"
|
||||
" truncate at the end of post table (%d byte left)\n",
|
||||
" exceeding string length (%d),"
|
||||
" truncating at end of post table (%d byte left)\n",
|
||||
len, post_limit - FT_STREAM_POS() ));
|
||||
len = FT_MAX( 0, post_limit - FT_STREAM_POS() );
|
||||
}
|
||||
|
||||
if ( FT_NEW_ARRAY( name_strings[n], len + 1 ) ||
|
||||
FT_STREAM_READ ( name_strings[n], len ) )
|
||||
FT_STREAM_READ( name_strings[n], len ) )
|
||||
goto Fail1;
|
||||
|
||||
name_strings[n][len] = '\0';
|
||||
|
@ -294,7 +298,7 @@
|
|||
static FT_Error
|
||||
load_format_25( TT_Face face,
|
||||
FT_Stream stream,
|
||||
FT_ULong post_limit )
|
||||
FT_Long post_limit )
|
||||
{
|
||||
FT_Memory memory = stream->memory;
|
||||
FT_Error error;
|
||||
|
@ -302,6 +306,8 @@
|
|||
FT_Int num_glyphs;
|
||||
FT_Char* offset_table = 0;
|
||||
|
||||
FT_UNUSED( post_limit );
|
||||
|
||||
|
||||
/* UNDOCUMENTED! This value appears only in the Apple TT specs. */
|
||||
if ( FT_READ_USHORT( num_glyphs ) )
|
||||
|
@ -361,7 +367,8 @@
|
|||
FT_Stream stream;
|
||||
FT_Error error;
|
||||
FT_Fixed format;
|
||||
FT_ULong post_len, post_limit;
|
||||
FT_ULong post_len;
|
||||
FT_Long post_limit;
|
||||
|
||||
|
||||
/* get a stream for the face's resource */
|
||||
|
|
Loading…
Reference in New Issue