Fix Savannah bug #39702.

* src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset != 0'; this stronger test is mandated by the CFF specification. Fix test for INDEX structures which have one or more empty entries at the end.
2013-08-06 08:55:19 +02:00 · 2013-08-06 08:55:19 +02:00 · 9bcfab8758
parent a32682f176
commit 9bcfab8758
2 changed files with 14 additions and 5 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2013-08-06  John Tytgat  <John.Tytgat@esko.com>
+
+	Fix Savannah bug #39702.
+
+	* src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset
+	!= 0'; this stronger test is mandated by the CFF specification.
+	Fix test for INDEX structures which have one or more empty entries
+	at the end.
+
 2013-08-05  Werner Lemberg  <wl@gnu.org>

 	Fix gcc pragmas, part 2.
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@ -414,7 +414,7 @@
      cur_offset = idx->offsets[0] - 1;

      /* sanity check */
-      if ( cur_offset >= idx->data_size )
+      if ( cur_offset != 0 )
      {
        FT_TRACE0(( "cff_index_get_pointers:"
                    " invalid first offset value %d set to zero\n",
@ -432,11 +432,11 @@
        FT_ULong  next_offset = idx->offsets[n] - 1;


-        /* empty slot + two sanity checks for invalid offset tables */
-        if ( next_offset == 0                                    ||
-             next_offset < cur_offset                            ||
-             ( next_offset >= idx->data_size && n < idx->count ) )
+        /* two sanity checks for invalid offset tables */
+        if ( next_offset < cur_offset )
          next_offset = cur_offset;
+        else if ( next_offset > idx->data_size )
+          next_offset = idx->data_size;

        if ( !pool )
          t[n] = org_bytes + next_offset;