* src/base/ftobjs.c (Mac_Read_POST_Resource): If the type
of the POST fragment is 0, the segment is completely ignored.
The declared length of the segment is not cared at all.
According to Adobe Technical Note 5040, type 0 segment is
comment only and should not be loaded for the interpreter.
Reported by Robert Swiecki.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
the length of fragment declared in the POST fragment header
and prevent an underflow in length calculation. Some fonts
set the length to zero in spite of the exist of following
16bit `type'. Reported by Robert Swiecki.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
size during gathering PFB fragments embedded in LaserWriter PS
font for Macintosh. Reported by Robert Swiecki.
* src/smooth/ftgrays.c (gray_render_span): Use cast to `unsigned
int' to avoid integer overflow.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Use smaller
threshold values for `width' and `height'. This is not directly
related to the bug fix but makes sense anyway.
* src/cff/cffgload.c (cff_decoder_parse_charstrings)
<cff_op_hintmask>: Ensure that we don't exceed `limit' while parsing
the bit masks of the `hintmask' and `cntrmask' operators.
* src/base/ftstream.c (FT_Stream_EnterFrame): Exit with error
if the frame size is larger than the stream size.
* src/base/ftsystem.c (ft_ansi_stream_io): Exit with error if
seeking a position larger than the stream size.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the error during
reading a PFB fragment embedded in LaserWriter PS font for Macintosh.
Reported by Robert Swiecki.
* src/bdf/bdflib.c (_bdf_readstream): Use special error code to
indicate a redo operation.
(_bdf_parse_start): Handle `CHARS' keyword here too and pass current
input line to `_bdf_parse_glyph'.
* include/freetype/fterrdef.h
(BDF_Err_Missing_Fontboundingbox_Field): New error code.
* src/bdf/bdflib.c (_bdf_parse_start): Check for missing
`FONTBOUNDINGBOX' field.
Avoid memory leak if there are multiple `FONT' lines (which is
invalid but doesn't hurt).
Point numbers for FreeType's implementation of hinting masks are
collected before the final number of points of a glyph has been
determined; in particular, the code for handling the `endchar'
opcode can reduce the number of points.
* src/pshinter/pshalgo.c (psh_glyph_find_strong_points): Assure that
`end_point' is not larger than `glyph->num_points'.
This bug has been introduced with commit 2415cbf3.
* src/base/ftobjs.c (FT_Get_First_Char, FT_Get_Next_Char): Protect
against endless loop in case of corrupted font header data.
Suggested by Graham.
* src/autofit/afhints.c (af_glyph_hints_compute_inflections):
Removed.
(af_glyph_hints_reload): Remove third argument.
Update all callers.
Acroread does the same.
* src/truetype/ttgload.c (TT_Process_Composite_Glyph): Call
`Update_Max' to adjust size of instructions array if necessary and
add a rough safety check.
(load_truetype_glyph): Save `loader->byte_len' before recursive
call.
* src/truetype/ttinterp.h, src/truetype/ttinterp.c (Update_Max):
Declare it as FT_LOCAL.
Previously we discovered fonts which used `setcurrentpoint' to set
the initial point of a contour to 0,0. This caused FreeType to
raise an error, because the `setcurrentpoint' operator is only
supposed to be used with the results from an OtherSubr subroutine.
This was fixed by simply ignoring the error and carrying on.
Now we have found a font which uses setcurrentpoint to actually
establish a non-zero point for a contour during the course of a
glyph program. FWIW, these files may be produced by an application
called `Intaglio' on the Mac, when converting TrueType fonts to
Type 1.
The fix allows the new invalid behaviour, the old invalid behaviour
and real proper usage of the operator to work the same way as Adobe
interpreters apparently do.
(t1_decoder_parse_charstrings): Make `setcurrentpoint' use the top
two elements of the stack to establish unconditionally the current x
and y coordinates.
Make the `flex' subroutine handling (OtherSubr 0) put the current
x,y coordinates onto the stack, instead of two dummy uninitialised
values.
suzuki toshiya