From 2d15120cb58ce77bf7800c678e6393841c5358fa Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 19 Oct 2009 21:09:13 +0200
Subject: [PATCH] Fix handling of `get' and `put' CFF instructions.

* src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get,
cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of
elements for the `get' and `put' operators to 32.
* src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define.
(CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.
---
 ChangeLog          | 10 ++++++++++
 src/cff/cffgload.c |  4 ++--
 src/cff/cffgload.h |  4 ++--
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 53141f2a0..023897ef6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2009-10-19  Ning Dong  <flintning@163.com>
+
+	Fix handling of `get' and `put' CFF instructions.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get,
+	cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of
+	elements for the `get' and `put' operators to 32.
+	* src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define.
+	(CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.
+
 2009-10-18  Werner Lemberg  <wl@gnu.org>
 
 	Fix handling of `dup' CFF instruction.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index d83c40646..4cabc4cc7 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -2117,7 +2117,7 @@
 
             FT_TRACE4(( " put\n" ));
 
-            if ( idx >= 0 && idx < decoder->len_buildchar )
+            if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
               decoder->buildchar[idx] = val;
           }
           break;
@@ -2130,7 +2130,7 @@
 
             FT_TRACE4(( " get\n" ));
 
-            if ( idx >= 0 && idx < decoder->len_buildchar )
+            if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
               val = decoder->buildchar[idx];
 
             args[0] = val;
diff --git a/src/cff/cffgload.h b/src/cff/cffgload.h
index 956817a08..1342227eb 100644
--- a/src/cff/cffgload.h
+++ b/src/cff/cffgload.h
@@ -30,6 +30,7 @@ FT_BEGIN_HEADER
 
 #define CFF_MAX_OPERANDS     48
 #define CFF_MAX_SUBRS_CALLS  32
+#define CFF_MAX_TRANS_ELEMENTS 32
 
 
   /*************************************************************************/
@@ -137,8 +138,7 @@ FT_BEGIN_HEADER
     FT_Bool            read_width;
     FT_Bool            width_only;
     FT_Int             num_hints;
-    FT_Fixed*          buildchar;
-    FT_Int             len_buildchar;
+    FT_Fixed           buildchar[CFF_MAX_TRANS_ELEMENTS];
 
     FT_UInt            num_locals;
     FT_UInt            num_globals;