From 19cb1127d4a2520126477382f35b489b48530b7e Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Tue, 15 Sep 2015 08:52:36 +0200 Subject: [PATCH] [type1, type42] Fix memory leaks (#45966). * src/type1/t1load.c (parse_blend_axis_types): Handle multiple axis names. (parse_blend_design_map): Allow only a single design map. (parse_encoding): Handle multiple encoding vectors. * src/type42/t42parse.c (t42_parse_encoding): Handle multiple encoding vectors. --- ChangeLog | 12 ++++++++++++ src/type1/t1load.c | 24 ++++++++++++++++++++++++ src/type42/t42parse.c | 8 ++++++++ 3 files changed, 44 insertions(+) diff --git a/ChangeLog b/ChangeLog index ec9e8d0c1..0c689c0e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2015-09-15 Werner Lemberg + + [type1, type42] Fix memory leaks (#45966). + + * src/type1/t1load.c (parse_blend_axis_types): Handle multiple axis + names. + (parse_blend_design_map): Allow only a single design map. + (parse_encoding): Handle multiple encoding vectors. + + * src/type42/t42parse.c (t42_parse_encoding): Handle multiple + encoding vectors. + 2015-09-15 Werner Lemberg [truetype] Fix integer type (#45965). diff --git a/src/type1/t1load.c b/src/type1/t1load.c index 4d065f88a..479cb7a00 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -615,6 +615,15 @@ goto Exit; } + name = (FT_Byte*)blend->axis_names[n]; + if ( name ) + { + FT_TRACE0(( "parse_blend_axis_types:" + " overwriting axis name `%s' with `%*.s'\n", + name, len, token->start )); + FT_FREE( name ); + } + if ( FT_ALLOC( blend->axis_names[n], len + 1 ) ) goto Exit; @@ -787,6 +796,13 @@ goto Exit; } + if ( map->design_points ) + { + FT_ERROR(( "parse_blend_design_map: duplicate table\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Exit; + } + /* allocate design map data */ if ( FT_NEW_ARRAY( map->design_points, num_points * 2 ) ) goto Exit; @@ -1205,6 +1221,14 @@ if ( parser->root.cursor >= limit ) return; + /* PostScript happily allows overwriting of encoding arrays */ + if ( encode->char_index ) + { + FT_FREE( encode->char_index ); + FT_FREE( encode->char_name ); + T1_Release_Table( char_table ); + } + /* we use a T1_Table to store our charnames */ loader->num_chars = encode->num_chars = count; if ( FT_NEW_ARRAY( encode->char_index, count ) || diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index ae062daab..ee77d8638 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -345,6 +345,14 @@ if ( parser->root.cursor >= limit ) return; + /* PostScript happily allows overwriting of encoding arrays */ + if ( encode->char_index ) + { + FT_FREE( encode->char_index ); + FT_FREE( encode->char_name ); + T1_Release_Table( char_table ); + } + /* we use a T1_Table to store our charnames */ loader->num_chars = encode->num_chars = count; if ( FT_NEW_ARRAY( encode->char_index, count ) ||