forked from minhngoc25a/freetype2
[sfnt] Prevent overrunning in `post' table parser.
* src/sfnt/ttpost.c (load_post_names): Get the length of `post' table and pass the limit of `post' table to load_format_20() and load_format_25(). (load_format_20): Stop the parsing when we reached at the limit of `post' table. If more glyph names are required, they are filled by NULL names. See Savannah bug #31040.
This commit is contained in:
parent
db053ec9a5
commit
900e7e0cde
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,14 @@
|
||||||
|
2010-09-19 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||||
|
|
||||||
|
[sfnt] Prevent overrunning in `post' table parser.
|
||||||
|
|
||||||
|
* src/sfnt/ttpost.c (load_post_names): Get the length of
|
||||||
|
`post' table and pass the limit of `post' table to
|
||||||
|
load_format_20() and load_format_25().
|
||||||
|
(load_format_20): Stop the parsing when we reached at the
|
||||||
|
limit of `post' table. If more glyph names are required,
|
||||||
|
they are filled by NULL names. See Savannah bug #31040.
|
||||||
|
|
||||||
2010-09-17 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
2010-09-17 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||||
|
|
||||||
[truetype] Don't duplicate size->twilight structure to be freed.
|
[truetype] Don't duplicate size->twilight structure to be freed.
|
||||||
|
|
|
@ -153,7 +153,8 @@
|
||||||
|
|
||||||
static FT_Error
|
static FT_Error
|
||||||
load_format_20( TT_Face face,
|
load_format_20( TT_Face face,
|
||||||
FT_Stream stream )
|
FT_Stream stream,
|
||||||
|
FT_ULong post_limit )
|
||||||
{
|
{
|
||||||
FT_Memory memory = stream->memory;
|
FT_Memory memory = stream->memory;
|
||||||
FT_Error error;
|
FT_Error error;
|
||||||
|
@ -230,8 +231,29 @@
|
||||||
FT_UInt len;
|
FT_UInt len;
|
||||||
|
|
||||||
|
|
||||||
if ( FT_READ_BYTE ( len ) ||
|
FT_TRACE7(( "load_format_20: %d byte left in post table\n",
|
||||||
FT_NEW_ARRAY( name_strings[n], len + 1 ) ||
|
post_limit - FT_STREAM_POS() ));
|
||||||
|
|
||||||
|
if ( FT_STREAM_POS() >= post_limit )
|
||||||
|
{
|
||||||
|
FT_ERROR(( "load_format_20:"
|
||||||
|
" all entries in post table is already parsed,"
|
||||||
|
" put NULL name for gid=%d\n", n ));
|
||||||
|
len = 0;
|
||||||
|
}
|
||||||
|
else if ( FT_READ_BYTE( len ) )
|
||||||
|
goto Fail1;
|
||||||
|
|
||||||
|
if ( len > 0 && FT_STREAM_POS() + len > post_limit )
|
||||||
|
{
|
||||||
|
FT_ERROR(( "load_format_20:"
|
||||||
|
" too large string length (%d)"
|
||||||
|
" truncate at the end of post table (%d byte left)\n",
|
||||||
|
len, post_limit - FT_STREAM_POS() ));
|
||||||
|
len = FT_MAX( 0, post_limit - FT_STREAM_POS() );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( FT_NEW_ARRAY( name_strings[n], len + 1 ) ||
|
||||||
FT_STREAM_READ ( name_strings[n], len ) )
|
FT_STREAM_READ ( name_strings[n], len ) )
|
||||||
goto Fail1;
|
goto Fail1;
|
||||||
|
|
||||||
|
@ -271,7 +293,8 @@
|
||||||
|
|
||||||
static FT_Error
|
static FT_Error
|
||||||
load_format_25( TT_Face face,
|
load_format_25( TT_Face face,
|
||||||
FT_Stream stream )
|
FT_Stream stream,
|
||||||
|
FT_ULong post_limit )
|
||||||
{
|
{
|
||||||
FT_Memory memory = stream->memory;
|
FT_Memory memory = stream->memory;
|
||||||
FT_Error error;
|
FT_Error error;
|
||||||
|
@ -338,16 +361,19 @@
|
||||||
FT_Stream stream;
|
FT_Stream stream;
|
||||||
FT_Error error;
|
FT_Error error;
|
||||||
FT_Fixed format;
|
FT_Fixed format;
|
||||||
|
FT_ULong post_len, post_limit;
|
||||||
|
|
||||||
|
|
||||||
/* get a stream for the face's resource */
|
/* get a stream for the face's resource */
|
||||||
stream = face->root.stream;
|
stream = face->root.stream;
|
||||||
|
|
||||||
/* seek to the beginning of the PS names table */
|
/* seek to the beginning of the PS names table */
|
||||||
error = face->goto_table( face, TTAG_post, stream, 0 );
|
error = face->goto_table( face, TTAG_post, stream, &post_len );
|
||||||
if ( error )
|
if ( error )
|
||||||
goto Exit;
|
goto Exit;
|
||||||
|
|
||||||
|
post_limit = FT_STREAM_POS() + post_len;
|
||||||
|
|
||||||
format = face->postscript.FormatType;
|
format = face->postscript.FormatType;
|
||||||
|
|
||||||
/* go to beginning of subtable */
|
/* go to beginning of subtable */
|
||||||
|
@ -356,9 +382,9 @@
|
||||||
|
|
||||||
/* now read postscript table */
|
/* now read postscript table */
|
||||||
if ( format == 0x00020000L )
|
if ( format == 0x00020000L )
|
||||||
error = load_format_20( face, stream );
|
error = load_format_20( face, stream, post_limit );
|
||||||
else if ( format == 0x00028000L )
|
else if ( format == 0x00028000L )
|
||||||
error = load_format_25( face, stream );
|
error = load_format_25( face, stream, post_limit );
|
||||||
else
|
else
|
||||||
error = SFNT_Err_Invalid_File_Format;
|
error = SFNT_Err_Invalid_File_Format;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue