From 88169b107a2f5311cbfc2fbe1542137b8f0b2bb2 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 11 May 2010 00:03:33 +0200
Subject: [PATCH] Fix Savannah bug #29846.

Previously we discovered fonts which used `setcurrentpoint' to set
the initial point of a contour to 0,0.  This caused FreeType to
raise an error, because the `setcurrentpoint' operator is only
supposed to be used with the results from an OtherSubr subroutine.

This was fixed by simply ignoring the error and carrying on.

Now we have found a font which uses setcurrentpoint to actually
establish a non-zero point for a contour during the course of a
glyph program.  FWIW, these files may be produced by an application
called `Intaglio' on the Mac, when converting TrueType fonts to
Type 1.

The fix allows the new invalid behaviour, the old invalid behaviour
and real proper usage of the operator to work the same way as Adobe
interpreters apparently do.

(t1_decoder_parse_charstrings): Make `setcurrentpoint' use the top
two elements of the stack to establish unconditionally the current x
and y coordinates.

Make the `flex' subroutine handling (OtherSubr 0) put the current
x,y coordinates onto the stack, instead of two dummy uninitialised
values.
---
 ChangeLog            | 30 +++++++++++++++++++++++++++++-
 src/psaux/t1decode.c |  4 ++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 9e14fb520..0a0f4ecde 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,33 @@
-2010-04-14  Ken Sharp  <ken.sharp@artifex.com>
+2010-05-10  Ken Sharp  <ken.sharp@artifex.com>
 
+	Fix Savannah bug #29846.
+
+	Previously we discovered fonts which used `setcurrentpoint' to set
+	the initial point of a contour to 0,0.  This caused FreeType to
+	raise an error, because the `setcurrentpoint' operator is only
+	supposed to be used with the results from an OtherSubr subroutine.
+
+	This was fixed by simply ignoring the error and carrying on.
+
+	Now we have found a font which uses setcurrentpoint to actually
+	establish a non-zero point for a contour during the course of a
+	glyph program.  FWIW, these files may be produced by an application
+	called `Intaglio' on the Mac, when converting TrueType fonts to
+	Type 1.
+
+	The fix allows the new invalid behaviour, the old invalid behaviour
+	and real proper usage of the operator to work the same way as Adobe
+	interpreters apparently do.
+
+	(t1_decoder_parse_charstrings): Make `setcurrentpoint' use the top
+	two elements of the stack to establish unconditionally the current x
+	and y coordinates.
+
+	Make the `flex' subroutine handling (OtherSubr 0) put the current
+	x,y coordinates onto the stack, instead of two dummy uninitialised
+	values.
+
+2010-04-14  Ken Sharp  <ken.sharp@artifex.com>
 	Fix Savannah bug #29444.
 
 	* src/psaux/psobjs.c (t1_builder_start_point): Accept (invalid)
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index 31554ff1b..4f7853e6e 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -777,6 +777,8 @@
           }
 
           /* the two `results' are popped by the following setcurrentpoint */
+          top[0] = x;
+          top[1] = y;
           known_othersubr_result_cnt = 2;
           break;
 
@@ -1481,6 +1483,8 @@
           }
           else
 #endif
+          x = top[0];
+          y = top[1];
             decoder->flex_state = 0;
           break;