forked from minhngoc25a/freetype2
[type42] Fix Savannah bug #43659.
* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages.
This commit is contained in:
parent
5f201ab5c2
commit
3788187e0c
12
ChangeLog
12
ChangeLog
|
@ -1,3 +1,15 @@
|
|||
2014-11-22 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[type42] Fix Savannah bug #43659.
|
||||
|
||||
* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
|
||||
|
||||
* src/type42/t42parse.c (t42_parse_sfnts): Always set
|
||||
`face->ttf_size' directly. This ensures a correct stream size in
|
||||
the call to `FT_Open_Face', which follows after parsing, even for
|
||||
buggy input data.
|
||||
Fix error messages.
|
||||
|
||||
2014-11-22 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[cff] Fix Savannah bug #43658.
|
||||
|
|
|
@ -47,6 +47,12 @@
|
|||
if ( FT_ALLOC( face->ttf_data, 12 ) )
|
||||
goto Exit;
|
||||
|
||||
/* while parsing the font we always update `face->ttf_size' so that */
|
||||
/* even in case of buggy data (which might lead to premature end of */
|
||||
/* scanning without causing an error) the call to `FT_Open_Face' in */
|
||||
/* `T42_Face_Init' passes the correct size */
|
||||
face->ttf_size = 12;
|
||||
|
||||
error = t42_parser_init( parser,
|
||||
face->root.stream,
|
||||
memory,
|
||||
|
|
|
@ -524,7 +524,7 @@
|
|||
FT_Byte* limit = parser->root.limit;
|
||||
FT_Error error;
|
||||
FT_Int num_tables = 0;
|
||||
FT_ULong count, ttf_size = 0;
|
||||
FT_ULong count;
|
||||
|
||||
FT_Long n, string_size, old_string_size, real_size;
|
||||
FT_Byte* string_buf = NULL;
|
||||
|
@ -617,7 +617,7 @@
|
|||
|
||||
if ( limit - parser->root.cursor < string_size )
|
||||
{
|
||||
FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
|
||||
FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
|
||||
error = FT_THROW( Invalid_File_Format );
|
||||
goto Fail;
|
||||
}
|
||||
|
@ -657,18 +657,18 @@
|
|||
}
|
||||
else
|
||||
{
|
||||
num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
|
||||
status = BEFORE_TABLE_DIR;
|
||||
ttf_size = 12 + 16 * num_tables;
|
||||
num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
|
||||
status = BEFORE_TABLE_DIR;
|
||||
face->ttf_size = 12 + 16 * num_tables;
|
||||
|
||||
if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
|
||||
if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
|
||||
goto Fail;
|
||||
}
|
||||
/* fall through */
|
||||
|
||||
case BEFORE_TABLE_DIR:
|
||||
/* the offset table is read; read the table directory */
|
||||
if ( count < ttf_size )
|
||||
if ( count < face->ttf_size )
|
||||
{
|
||||
face->ttf_data[count++] = string_buf[n];
|
||||
continue;
|
||||
|
@ -687,24 +687,23 @@
|
|||
len = FT_PEEK_ULONG( p );
|
||||
|
||||
/* Pad to a 4-byte boundary length */
|
||||
ttf_size += ( len + 3 ) & ~3;
|
||||
face->ttf_size += ( len + 3 ) & ~3;
|
||||
}
|
||||
|
||||
status = OTHER_TABLES;
|
||||
face->ttf_size = ttf_size;
|
||||
status = OTHER_TABLES;
|
||||
|
||||
/* there are no more than 256 tables, so no size check here */
|
||||
if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
|
||||
ttf_size + 1 ) )
|
||||
face->ttf_size + 1 ) )
|
||||
goto Fail;
|
||||
}
|
||||
/* fall through */
|
||||
|
||||
case OTHER_TABLES:
|
||||
/* all other tables are just copied */
|
||||
if ( count >= ttf_size )
|
||||
if ( count >= face->ttf_size )
|
||||
{
|
||||
FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
|
||||
FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
|
||||
error = FT_THROW( Invalid_File_Format );
|
||||
goto Fail;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue