minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 4 Releases Wiki Activity

* src/sfnt/sfobjs.c (sfnt_open_font): Check number of TTC subfonts.

This commit is contained in:
Werner Lemberg 2011-03-20 07:51:57 +01:00
parent 8bd77f9030
commit af7b8b1a9f
2 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,3 +1,7 @@
2011-03-20 Werner Lemberg <wl@gnu.org>
* src/sfnt/sfobjs.c (sfnt_open_font): Check number of TTC subfonts.
2011-03-19 Werner Lemberg <wl@gnu.org>
More C++ compilation fixes.

17
src/sfnt/sfobjs.c
View File

@ -4,7 +4,7 @@
/* */
/* SFNT object management (base). */
/* */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010 by */
/* Copyright 1996-2008, 2010-2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -356,7 +356,7 @@
FT_FRAME_START( 8 ),
FT_FRAME_LONG( version ),
FT_FRAME_LONG( count ),
FT_FRAME_LONG( count ), /* this is ULong in the specs */
FT_FRAME_END
};
@ -390,6 +390,17 @@
if ( FT_STREAM_READ_FIELDS( ttc_header_fields, &face->ttc_header ) )
return error;
if ( face->ttc_header.count == 0 )
return SFNT_Err_Invalid_Table;
/* a rough size estimate: let's conservatively assume that there */
/* is just a single table info in each subfont header (12 + 16*1 = */
/* 28 bytes), thus we have (at least) `12 + 4*count' bytes for the */
/* size of the TTC header plus `28*count' bytes for all subfont */
/* headers */
if ( (FT_ULong)face->ttc_header.count > stream->size / ( 28 + 4 ) )
return SFNT_Err_Array_Too_Large;
/* now read the offsets of each font in the file */
if ( FT_NEW_ARRAY( face->ttc_header.offsets, face->ttc_header.count ) )
return error;
@ -536,7 +547,7 @@
FT_UNUSED( face_index );
/* Check parameters */
{
FT_Int i;