ReceiveTempSMS
/
Al-Qurtas-Islamic-bank-The-Best-Bank-in-Iraq
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[sfnt] Delay setting gasp ranges and count until computed. 

Previously, the gasp.numRanges was set and gasp.gaspRanges was
allocated and assigned before a possible early exit if the frame could
not be entered. It is also possible that the gaspRanges allocation
could fail but the numRanges still be set to non-zero. In such cases
an error would be returned, but the face would have a gasp in an
inconsistent state which may still be accessed.

Reported as
  https://bugs.chromium.org/p/chromium/issues/detail?id=1261450

* src/sfnt/ttload.c (tt_face_load_gasp): Delay setting gasp.numRanges
and gasp.gaspRanges until after the ranges are initialized.
This commit is contained in:
Ben Wagner 2021-10-20 11:45:15 -04:00 committed by Alexei Podtelezhnikov
parent 6d12e3a0ca
commit fde91ab8f1
1 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/sfnt/ttload.c
View File

@ -1434,7 +1434,7 @@
FT_Memory memory = stream->memory; FT_Memory memory = stream->memory;
FT_UInt j,num_ranges; FT_UInt j,num_ranges;
TT_GaspRange gaspranges = NULL; TT_GaspRange gasp_ranges = NULL;
/* the gasp table is optional */ /* the gasp table is optional */
@ -1445,8 +1445,8 @@
if ( FT_FRAME_ENTER( 4L ) ) if ( FT_FRAME_ENTER( 4L ) )
goto Exit; goto Exit;
face->gasp.version = FT_GET_USHORT(); face->gasp.version = FT_GET_USHORT();
face->gasp.numRanges = FT_GET_USHORT(); num_ranges = FT_GET_USHORT();
FT_FRAME_EXIT(); FT_FRAME_EXIT();
@ -1458,29 +1458,31 @@
goto Exit; goto Exit;
} }
num_ranges = face->gasp.numRanges;
FT_TRACE3(( "numRanges: %u\n", num_ranges )); FT_TRACE3(( "numRanges: %u\n", num_ranges ));
if ( FT_QNEW_ARRAY( face->gasp.gaspRanges, num_ranges ) || if ( FT_QNEW_ARRAY( gasp_ranges, num_ranges ) ||
FT_FRAME_ENTER( num_ranges * 4L ) ) FT_FRAME_ENTER( num_ranges * 4L ) )
goto Exit; goto Exit;
gaspranges = face->gasp.gaspRanges;
for ( j = 0; j < num_ranges; j++ ) for ( j = 0; j < num_ranges; j++ )
{ {
gaspranges[j].maxPPEM = FT_GET_USHORT(); gasp_ranges[j].maxPPEM = FT_GET_USHORT();
gaspranges[j].gaspFlag = FT_GET_USHORT(); gasp_ranges[j].gaspFlag = FT_GET_USHORT();
FT_TRACE3(( "gaspRange %d: rangeMaxPPEM %5d, rangeGaspBehavior 0x%x\n", FT_TRACE3(( "gaspRange %d: rangeMaxPPEM %5d, rangeGaspBehavior 0x%x\n",
j, j,
gaspranges[j].maxPPEM, gasp_ranges[j].maxPPEM,
gaspranges[j].gaspFlag )); gasp_ranges[j].gaspFlag ));
} }
face->gasp.gaspRanges = gasp_ranges;
gasp_ranges = NULL;
face->gasp.numRanges = num_ranges;
FT_FRAME_EXIT(); FT_FRAME_EXIT();
Exit: Exit:
FT_FREE( gasp_ranges );
return error; return error;
} }