rgraves
/
freetype2
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[cff] Fix Savannah bug #41693. 

* src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
This commit is contained in:
Werner Lemberg 2014-02-26 14:18:03 +01:00
parent 9a56764037
commit 08c628d128
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
2014-02-26 Wermer Lemberg <wl@gnu.org>
[cff] Fix Savannah bug #41693.
* src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
2014-02-26 Wermer Lemberg <wl@gnu.org> 2014-02-26 Wermer Lemberg <wl@gnu.org>
[bdf] Fix Savannah bug #41692. [bdf] Fix Savannah bug #41692.

15
src/cff/cffload.c
View File

@ -4,7 +4,7 @@
/* */ /* */
/* OpenType and CFF data/program tables loader (body). */ /* OpenType and CFF data/program tables loader (body). */
/* */ /* */
/* Copyright 1996-2013 by */ /* Copyright 1996-2014 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */ /* */
/* This file is part of the FreeType project, and may only be used, */ /* This file is part of the FreeType project, and may only be used, */
@ -689,6 +689,13 @@
if ( FT_READ_USHORT( num_ranges ) ) if ( FT_READ_USHORT( num_ranges ) )
goto Exit; goto Exit;
if ( !num_ranges )
{
FT_TRACE0(( "CFF_Load_FD_Select: empty FDSelect array\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
}
fdselect->data_size = num_ranges * 3 + 2; fdselect->data_size = num_ranges * 3 + 2;
Load_Data: Load_Data:
@ -719,7 +726,7 @@
break; break;
case 3: case 3:
/* first, compare to cache */ /* first, compare to the cache */
if ( (FT_UInt)( glyph_index - fdselect->cache_first ) < if ( (FT_UInt)( glyph_index - fdselect->cache_first ) <
fdselect->cache_count ) fdselect->cache_count )
{ {
@ -727,7 +734,7 @@
break; break;
} }
/* then, lookup the ranges array */ /* then, look up the ranges array */
{ {
FT_Byte* p = fdselect->data; FT_Byte* p = fdselect->data;
FT_Byte* p_limit = p + fdselect->data_size; FT_Byte* p_limit = p + fdselect->data_size;
@ -750,7 +757,7 @@
/* update cache */ /* update cache */
fdselect->cache_first = first; fdselect->cache_first = first;
fdselect->cache_count = limit-first; fdselect->cache_count = limit - first;
fdselect->cache_fd = fd2; fdselect->cache_fd = fd2;
break; break;
} }