From 7cb9ec0f1c9b3ce3c92c840cdc9a18a576993bc3 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 9 Jun 2008 20:49:29 +0000 Subject: [PATCH] * src/type1/t1parse.h (T1_ParserRec): Make `base_len' and `private_len' unsigned. * src/type1/t1parse.c (read_pfb_tag): Make `asize' unsigned and read it as such. (T1_New_Parser, T1_Get_Private_Dict): Make `size' unsigned. * src/base/ftstream.c (FT_Stream_Skip): Reject negative values. * src/type1/t1load.c (parse_blend_design_positions): Check `n_axis' for sane value. Fix typo. * src/psaux/psobjs.c (ps_table_add): Check `idx' correctly. * src/truetype/ttinterp (Ins_SHC): Use BOUNDS() to check `last_point'. * src/sfnt/ttload.c (tt_face_load_max_profile): Limit `maxTwilightPoints'. --- ChangeLog | 28 ++++++++++++++++++++++++++++ docs/CHANGES | 2 ++ src/base/ftstream.c | 5 ++++- src/psaux/psobjs.c | 4 ++-- src/sfnt/ttload.c | 11 ++++++++++- src/truetype/ttinterp.c | 2 +- src/type1/t1load.c | 11 ++++++++++- src/type1/t1parse.c | 37 +++++++++++++++++++++---------------- src/type1/t1parse.h | 6 +++--- 9 files changed, 81 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index cc9ffdad4..a5552ae95 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,31 @@ +2008-06-08 Werner Lemberg + + * src/type1/t1parse.h (T1_ParserRec): Make `base_len' and + `private_len' unsigned. + + * src/type1/t1parse.c (read_pfb_tag): Make `asize' unsigned and read + it as such. + (T1_New_Parser, T1_Get_Private_Dict): Make `size' unsigned. + + + * src/base/ftstream.c (FT_Stream_Skip): Reject negative values. + + + * src/type1/t1load.c (parse_blend_design_positions): Check `n_axis' + for sane value. + Fix typo. + + + * src/psaux/psobjs.c (ps_table_add): Check `idx' correctly. + + + * src/truetype/ttinterp (Ins_SHC): Use BOUNDS() to check + `last_point'. + + + * src/sfnt/ttload.c (tt_face_load_max_profile): Limit + `maxTwilightPoints'. + 2008-06-06 Werner Lemberg * src/truetype/ttinterp.c (Ins_IP): Handle case `org_dist == 0' diff --git a/docs/CHANGES b/docs/CHANGES index 9fe53a7c7..f163b4374 100644 --- a/docs/CHANGES +++ b/docs/CHANGES @@ -10,6 +10,8 @@ CHANGES BETWEEN 2.3.6 and 2.3.5 it's always possible to manually select an Apple Unicode cmap if desired. + - Many bug fixes to the TrueType bytecode interpreter. + - Improved Mac support. - Subsetted CID-keyed CFFs are now supported correctly. diff --git a/src/base/ftstream.c b/src/base/ftstream.c index a067a1fde..569e46c79 100644 --- a/src/base/ftstream.c +++ b/src/base/ftstream.c @@ -4,7 +4,7 @@ /* */ /* I/O stream support (body). */ /* */ -/* Copyright 2000-2001, 2002, 2004, 2005, 2006 by */ +/* Copyright 2000-2001, 2002, 2004, 2005, 2006, 2008 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -89,6 +89,9 @@ FT_Stream_Skip( FT_Stream stream, FT_Long distance ) { + if ( distance < 0 ) + return FT_Err_Invalid_Stream_Operation; + return FT_Stream_Seek( stream, (FT_ULong)( stream->pos + distance ) ); } diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c index 9d3ebdf2e..b7b84ac83 100644 --- a/src/psaux/psobjs.c +++ b/src/psaux/psobjs.c @@ -4,7 +4,7 @@ /* */ /* Auxiliary functions for PostScript fonts (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -169,7 +169,7 @@ void* object, FT_PtrDist length ) { - if ( idx < 0 || idx > table->max_elems ) + if ( idx < 0 || idx >= table->max_elems ) { FT_ERROR(( "ps_table_add: invalid index\n" )); return PSaux_Err_Invalid_Argument; diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index abe0278a2..6b7c34262 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -5,7 +5,7 @@ /* Load the basic TrueType tables, i.e., tables that can be either in */ /* TTF or OTF fonts (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -618,6 +618,15 @@ if ( maxProfile->maxFunctionDefs == 0 ) maxProfile->maxFunctionDefs = 64; + + /* we add 4 phantom points later */ + if ( maxProfile->maxTwilightPoints > ( 0xFFFFU - 4 ) ) + { + FT_ERROR(( "Too much twilight points in `maxp' table;\n" )); + FT_ERROR(( " some glyphs might be rendered incorrectly.\n" )); + + maxProfile->maxTwilightPoints = 0xFFFFU - 4; + } } FT_TRACE3(( "numGlyphs: %u\n", maxProfile->numGlyphs )); diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index f0f91e982..f9c36560e 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -5449,7 +5449,7 @@ /* XXX: this is probably wrong... at least it prevents memory */ /* corruption when zp2 is the twilight zone */ - if ( last_point > CUR.zp2.n_points ) + if ( BOUNDS( last_point, CUR.zp2.n_points ) ) { if ( CUR.zp2.n_points > 0 ) last_point = (FT_UShort)(CUR.zp2.n_points - 1); diff --git a/src/type1/t1load.c b/src/type1/t1load.c index 508fd890b..9d7c748b3 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -674,7 +674,7 @@ for ( n = 0; n < num_designs; n++ ) { - T1_TokenRec axis_tokens[T1_MAX_MM_DESIGNS]; + T1_TokenRec axis_tokens[T1_MAX_MM_AXIS]; T1_Token token; FT_Int axis, n_axis; @@ -687,6 +687,15 @@ if ( n == 0 ) { + if ( n_axis <= 0 || n_axis > T1_MAX_MM_AXIS ) + { + FT_ERROR(( "parse_blend_design_positions:" )); + FT_ERROR(( " invalid number of axes: %d\n", + n_axis )); + error = T1_Err_Invalid_File_Format; + goto Exit; + } + num_axis = n_axis; error = t1_allocate_blend( face, num_designs, num_axis ); if ( error ) diff --git a/src/type1/t1parse.c b/src/type1/t1parse.c index 1b252c748..36f5c82c8 100644 --- a/src/type1/t1parse.c +++ b/src/type1/t1parse.c @@ -4,7 +4,7 @@ /* */ /* Type 1 parser (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -65,14 +65,16 @@ /*************************************************************************/ + /* see Adobe Technical Note 5040.Download_Fonts.pdf */ + static FT_Error read_pfb_tag( FT_Stream stream, FT_UShort *atag, - FT_Long *asize ) + FT_ULong *asize ) { FT_Error error; FT_UShort tag; - FT_Long size; + FT_ULong size; *atag = 0; @@ -82,7 +84,7 @@ { if ( tag == 0x8001U || tag == 0x8002U ) { - if ( !FT_READ_LONG_LE( size ) ) + if ( !FT_READ_ULONG_LE( size ) ) *asize = size; } @@ -100,22 +102,25 @@ { FT_Error error; FT_UShort tag; - FT_Long size; + FT_ULong dummy; if ( FT_STREAM_SEEK( 0 ) ) goto Exit; - error = read_pfb_tag( stream, &tag, &size ); + error = read_pfb_tag( stream, &tag, &dummy ); if ( error ) goto Exit; + /* We assume that the first segment in a PFB is always encoded as */ + /* text. This might be wrong (and the specification doesn't insist */ + /* on that), but we have never seen a counterexample. */ if ( tag != 0x8001U && FT_STREAM_SEEK( 0 ) ) goto Exit; if ( !FT_FRAME_ENTER( header_length ) ) { - error = 0; + error = T1_Err_Ok; if ( ft_memcmp( stream->cursor, header_string, header_length ) != 0 ) error = T1_Err_Unknown_File_Format; @@ -136,7 +141,7 @@ { FT_Error error; FT_UShort tag; - FT_Long size; + FT_ULong size; psaux->ps_parser_funcs->init( &parser->root, 0, 0, memory ); @@ -170,19 +175,19 @@ /* Here a short summary of what is going on: */ /* */ /* When creating a new Type 1 parser, we try to locate and load */ - /* the base dictionary if this is possible (i.e. for PFB */ + /* the base dictionary if this is possible (i.e., for PFB */ /* files). Otherwise, we load the whole font into memory. */ /* */ /* When `loading' the base dictionary, we only setup pointers */ /* in the case of a memory-based stream. Otherwise, we */ /* allocate and load the base dictionary in it. */ /* */ - /* parser->in_pfb is set if we are in a binary (".pfb") font. */ + /* parser->in_pfb is set if we are in a binary (`.pfb') font. */ /* parser->in_memory is set if we have a memory stream. */ /* */ - /* try to compute the size of the base dictionary; */ - /* look for a Postscript binary file tag, i.e 0x8001 */ + /* try to compute the size of the base dictionary; */ + /* look for a Postscript binary file tag, i.e., 0x8001 */ if ( FT_STREAM_SEEK( 0L ) ) goto Exit; @@ -217,7 +222,7 @@ } else { - /* read segment in memory - this is clumsy, but so does the format */ + /* read segment in memory -- this is clumsy, but so does the format */ if ( FT_ALLOC( parser->base_dict, size ) || FT_STREAM_READ( parser->base_dict, size ) ) goto Exit; @@ -260,7 +265,7 @@ FT_Stream stream = parser->stream; FT_Memory memory = parser->root.memory; FT_Error error = T1_Err_Ok; - FT_Long size; + FT_ULong size; if ( parser->in_pfb ) @@ -299,7 +304,7 @@ goto Fail; } - if ( FT_STREAM_SEEK( start_pos ) || + if ( FT_STREAM_SEEK( start_pos ) || FT_ALLOC( parser->private_dict, parser->private_len ) ) goto Fail; @@ -409,7 +414,7 @@ goto Exit; } - size = (FT_Long)( parser->base_len - ( cur - parser->base_dict ) ); + size = parser->base_len - ( cur - parser->base_dict ); if ( parser->in_memory ) { diff --git a/src/type1/t1parse.h b/src/type1/t1parse.h index 6fa4ca624..fb1c8a883 100644 --- a/src/type1/t1parse.h +++ b/src/type1/t1parse.h @@ -4,7 +4,7 @@ /* */ /* Type 1 parser (specification). */ /* */ -/* Copyright 1996-2001, 2002, 2003 by */ +/* Copyright 1996-2001, 2002, 2003, 2008 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -64,10 +64,10 @@ FT_BEGIN_HEADER FT_Stream stream; FT_Byte* base_dict; - FT_Long base_len; + FT_ULong base_len; FT_Byte* private_dict; - FT_Long private_len; + FT_ULong private_len; FT_Bool in_pfb; FT_Bool in_memory;