Fix handling of `get' and `put' CFF instructions.

* src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get,
cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of
elements for the `get' and `put' operators to 32.
* src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define.
(CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.

ChangeLog

@@ -1,3 +1,13 @@
+2009-10-19  Ning Dong  <flintning@163.com>
+
+	Fix handling of `get' and `put' CFF instructions.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get,
+	cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of
+	elements for the `get' and `put' operators to 32.
+	* src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define.
+	(CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.
+
 2009-10-18  Werner Lemberg  <wl@gnu.org>
 
 	Fix handling of `dup' CFF instruction.

src/cff/cffgload.c

@@ -2117,7 +2117,7 @@
 
             FT_TRACE4(( " put\n" ));
 
-            if ( idx >= 0 && idx < decoder->len_buildchar )
+            if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
               decoder->buildchar[idx] = val;
           }
           break;
@@ -2130,7 +2130,7 @@
 
             FT_TRACE4(( " get\n" ));
 
-            if ( idx >= 0 && idx < decoder->len_buildchar )
+            if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
               val = decoder->buildchar[idx];
 
             args[0] = val;

src/cff/cffgload.h

@@ -30,6 +30,7 @@ FT_BEGIN_HEADER
 
 #define CFF_MAX_OPERANDS     48
 #define CFF_MAX_SUBRS_CALLS  32
+#define CFF_MAX_TRANS_ELEMENTS 32
 
 
   /*************************************************************************/
@@ -137,8 +138,7 @@ FT_BEGIN_HEADER
     FT_Bool            read_width;
     FT_Bool            width_only;
     FT_Int             num_hints;
-    FT_Fixed*          buildchar;
+    FT_Fixed           buildchar[CFF_MAX_TRANS_ELEMENTS];
-    FT_Int             len_buildchar;
 
     FT_UInt            num_locals;
     FT_UInt            num_globals;