[cff] Fix handling of reserved byte 0xFF.

* src/cff/cffgload.c (cff_decoder_parse_charstrings): Abort if byte 0xFF is encountered.
2009-06-19 23:50:37 +02:00 · 2009-06-19 23:50:37 +02:00 · f1631f2db0
parent 86fa2ebc1f
commit f1631f2db0
2 changed files with 10 additions and 11 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2009-06-19  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix handling of reserved byte 0xFF.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings): Abort if byte
+	0xFF is encountered.
+
 2009-06-19  Werner Lemberg  <wl@gnu.org>

 	Improve debug messages for Type1 charstrings.
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@ -938,17 +938,9 @@
            goto Syntax_Error;
          val = -( (FT_Long)v - 251 ) * 256 - *ip++ - 108;
        }
-        else
-        {
-          if ( ip + 3 >= limit )
-            goto Syntax_Error;
-          val = ( (FT_Int32)ip[0] << 24 ) |
-                ( (FT_Int32)ip[1] << 16 ) |
-                ( (FT_Int32)ip[2] <<  8 ) |
-                            ip[3];
-          ip    += 4;
-          shift  = 0;
-        }
+        else /* 255 */
+          goto Syntax_Error;
+
        if ( decoder->top - stack >= CFF_MAX_OPERANDS )
          goto Stack_Overflow;