From 13472b38d345843b4084ffda334a56c4a07436d4 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Thu, 2 Oct 2003 21:36:18 +0000 Subject: [PATCH] * src/winfonts/winfnt.c (FT_WinFNT_HeaderRec): `color_table_offset' has four bytes, not two. Fix all users. (fnt_font_load, FNT_Load_Glyph): Add more font validity tests. --- ChangeLog | 7 +++++++ src/winfonts/winfnt.c | 25 ++++++++++++++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1a6e916e7..c97afb853 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2003-10-02 Markus F.X.J. Oberhumer + + * src/winfonts/winfnt.c (FT_WinFNT_HeaderRec): `color_table_offset' + has four bytes, not two. + Fix all users. + (fnt_font_load, FNT_Load_Glyph): Add more font validity tests. + 2003-10-01 David Turner * src/autofit/*: adding first sources of the new multi-script diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c index 13a5f4773..37f2faacd 100644 --- a/src/winfonts/winfnt.c +++ b/src/winfonts/winfnt.c @@ -70,7 +70,7 @@ #undef FT_STRUCTURE #define FT_STRUCTURE FT_WinFNT_HeaderRec - FT_FRAME_START( 146 ), + FT_FRAME_START( 148 ), FT_FRAME_USHORT_LE( version ), FT_FRAME_ULONG_LE ( file_size ), FT_FRAME_BYTES ( copyright, 60 ), @@ -105,7 +105,7 @@ FT_FRAME_USHORT_LE( A_space ), FT_FRAME_USHORT_LE( B_space ), FT_FRAME_USHORT_LE( C_space ), - FT_FRAME_USHORT_LE( color_table_offset ), + FT_FRAME_ULONG_LE ( color_table_offset ), FT_FRAME_BYTES ( reserved1, 16 ), FT_FRAME_END }; @@ -136,6 +136,8 @@ { FT_Error error; FT_WinFNT_Header header = &font->header; + FT_Bool new_format; + FT_UInt size; /* first of all, read the FNT header */ @@ -152,6 +154,16 @@ goto Exit; } + new_format = FT_BOOL( font->header.version == 0x300 ); + size = new_format ? 148 : 118; + + if ( header->file_size < size ) + { + FT_TRACE2(( "[not a valid FNT file]\n" )); + error = FNT_Err_Unknown_File_Format; + goto Exit; + } + /* Version 2 doesn't have these fields */ if ( header->version == 0x200 ) { @@ -572,7 +584,7 @@ len = new_format ? 6 : 4; /* jump to glyph entry */ - p = font->fnt_frame + ( new_format ? 146 : 118 ) + len * glyph_index; + p = font->fnt_frame + ( new_format ? 148 : 118 ) + len * glyph_index; bitmap->width = FT_NEXT_SHORT_LE( p ); @@ -581,6 +593,13 @@ else offset = FT_NEXT_USHORT_LE( p ); + if ( offset >= font->header.file_size ) + { + FT_TRACE2(( "invalid FNT offset!\n" )); + error = FNT_Err_Invalid_File_Format; + goto Exit; + } + /* jump to glyph data */ p = font->fnt_frame + /* font->header.bits_offset */ + offset;