* src/lzw/ftzopen.c (ft_lzwstate_io) <FT_LZW_PHASE_CODE>:
Ensure that subsequent (modulo garbage byte(s)) LZW_CLEAR codes are
handled as clear codes. This also re-sets old_code and old_char to
predictable values, which is a little better than using `random'
ones if the code following LZW_CLEAR is invalid.
Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is
constructed correctly. It's even less than that, see e.g.
libarchive code comment for a better size upper bound:
http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121
This patch adds explicit stack size limit, enforced when stack is
realloced.
An alternative is to ensure that code < state->prefix[code - 256]
when traversing prefix table. Such check is less efficient and
should not be required if prefix table is constructed correctly in
the first place.
* src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it.
LZW decompressor did not sufficiently check codes read from the
input LZW stream. A specially-crafted or corrupted input could
create a loop in the prefix table, which leads to memory usage
spikes, as there's no decompression stack size limit.
* src/lzw/ftzopen.c (ft_lzwstate_io) <FT_LZW_PHASE_START>: First
code in valid LZW stream must be 0..255.
<FT_LZW_PHASE_CODE>: In the special KwKwK case, code == free_ent,
code > free_ent is invalid.
src/base/ftmac.c, src/base/ftrfork.c, src/lzw/ftzopen.c,
src/raster/ftrend1.c, src/sfnt/ttpost.c, src/truetype/ttgxvar.c,
src/type42/t42parse.c, src/winfonts/winfnt.c: hardening the code
against out-of-bounds conditions when allocating arrays. This is
for the cases where FT_NEW_ARRAY and FT_RENEW_ARRAY are not used
already. Introducing the new FT_ALLOC_MULT and FT_REALLOC_MULT
macros.
* src/lzw/ftlzw2.c, src/lzw/ftzopen.h, src/lzw/ftzopen.c, src/lzw/rules.mk:
first version of LZW loader re-implementation. Apparently, saves about
260 KB of heap memory when loading tir24.pcf.Z
Werner Lemberg