* src/sfnt/ttpost.c (load_post_names): Get the length of
`post' table and pass the limit of `post' table to
load_format_20() and load_format_25().
(load_format_20): Stop the parsing when we reached at the
limit of `post' table. If more glyph names are required,
they are filled by NULL names. See Savannah bug #31040.
* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
FT_GlyphZoneRec size->twilight to be freed. If duplicated,
FT_FREE() erases the duplicated pointers only and leave original
pointers. They can cause the double-free crash when the burst
errors occur in TrueType interpreter and free_buffer_in_size()
is invoked repeatedly. See Savannah bug #31040 for detail.
* src/truetype/ttinterp.c (TT_RunIns): Decrease the trace level
showing the error when the interpreter returns with an error,
from FT_TRACE7() to FT_TRACE1().
* src/truetype/ttinterp.c (free_buffer_in_size): New function to
free the buffer allocated during the interpretation of this glyph.
(TT_RunIns): Unset FT_Face->size->{cvt_ready,bytecode_ready} if
an error occurs in the bytecode interpretation. The interpretation
of invalid bytecode may break the function definitions and referring
them in later interpretation is danger. By unsetting these flags,
`fpgm' and `prep' tables are executed again in next interpretation.
Fix Savannah bug #30798, reported by Robert Swiecki.
* src/cff/cffload.c (cff_charset_load): Fix change from 2009-03-20:
The threshold for SIDs is not applicable here. I misinterpreted the
`SID values 65000 and above are available for implementation use'
sentence in the CFF specification.
Problem reported by Ivan Ninčić <inincic@pdftron.com>.
* src/base/ftobjs.c (FT_Done_Library): Specify the order of font
drivers in face closing process. Type42 faces should be closed
before TrueType faces, because a Type42 face refers another
internal TrueType face which is created from sfnt[] array on the
memory.
* src/truetype/ttinterp.c (BOUNDSL): New macro.
Change `BOUNDS' to `BOUNDSL' where appropriate.
* src/truetype/ttinterp.h (TT_ExecContextRec): Fix type of
`cvtSize'.
Problem reported by Tobias Wolf <towolf@gmail.com>.
* src/cff/cffgload.c (cff_decoder_parse_charstrings)
<cff_op_hintmask>: Sigh. I'm apparently too silly to fix this
correctly in less than three tries.
Permit a face for Type1, Type42 and CFF without charmap,
patch by Tor Andersson.
* src/type1/t1objs.c (T1_Face_Init): Reset the error if it
is FT_Err_No_Unicode_Glyph_Name.
* src/type42/t42objs.c (T42_Face_Init): Ditto.
* src/cff/cffobjs.c (cff_face_init): Ditto.
Too serious check of errors by `FT_CMap_New' since 2010-07-04
is fixed. Reported by Tor Andersson.
* include/freetype/fterrdef.h
(PSnames_Err_No_Unicode_Glyph_Name): New error code to
indicate the Unicode charmap synthesis failed because
no Unicode glyph name is found.
* src/psnames/psmodule.c (ps_unicodes_init): Return
PSnames_Err_No_Unicode_Glyph_Name when no Unicode glyph name
is found in the font.
* src/cff/cffcmap.c (cff_cmap_unicode_init): Return
CFF_Err_No_Unicode_Glyph_Name when no SID is available.
* src/type1/t1objs.c (T1_Face_Init): Proceed if `FT_CMap_New'
is failed by the lack of Unicode glyph name.
* src/type42/t42objs.c (T42_Face_Init): Ditto.
* src/cff/cffobjs.c (cff_face_init): Ditto.
Problem reported by malc <av1474@comtv.ru>.
* src/cff/cffgload.c (cff_decoder_parse_charstrings)
<cff_op_hintmask>: It is possible that there is just a single byte
after the `hintmask' or `cntrmask', e.g., a `return' instruction.
Fix for Savannah bug #30059.
* src/cache/ftccmap.c (FTC_CMapCache_Lookup): Replace `16' the
minimum character code passed by a legacy rogue client by...
* include/freetype/config/ftoption.h (FT_MAX_CHARMAP_CACHEABLE):
This. It is undefined when FT_CONFIG_OPTION_OLD_INTERNALS is
undefined (thus the rogue client compatibility is not required).
* src/cff/cffobjs.c (cff_face_init): Abort the automatic
selection or synthesis of Unicode cmap subtable when the charmap
index exceeds FT_MAX_CHARMAP_CACHEABLE.
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Issue error message
when the charmap index exceeds FT_MAX_CHARMAP_CACHEABLE.
* src/base/ftobjs.c (find_unicode_charmap): When Unicode charmap
is found after FT_MAX_CHARMAP_CACHEABLE, ignore it and search
earlier one.
(find_variant_selector_charmap): When UVS charmap is found after
FT_MAX_CHARMAP_CACHEABLE, ignore it and search earlier one.
(FT_Select_Charmap): When a charmap matching with requested
encoding but after FT_MAX_CHARMAP_CACHEABLE, ignore and search
earlier one.
(FT_Set_Charmap): When a charmap matching with requested
charmap but after FT_MAX_CHARMAP_CACHEABLE, ignore and search
earlier one.
(FT_Get_Charmap_Index): When a requested charmap is found
after FT_MAX_CHARMAP_CACHEABLE, return the inverted charmap
index.
* src/base/ftobjs.c (Mac_Read_POST_Resource): If the type
of the POST fragment is 0, the segment is completely ignored.
The declared length of the segment is not cared at all.
According to Adobe Technical Note 5040, type 0 segment is
comment only and should not be loaded for the interpreter.
Reported by Robert Swiecki.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
the length of fragment declared in the POST fragment header
and prevent an underflow in length calculation. Some fonts
set the length to zero in spite of the exist of following
16bit `type'. Reported by Robert Swiecki.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
size during gathering PFB fragments embedded in LaserWriter PS
font for Macintosh. Reported by Robert Swiecki.
* src/smooth/ftgrays.c (gray_render_span): Use cast to `unsigned
int' to avoid integer overflow.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Use smaller
threshold values for `width' and `height'. This is not directly
related to the bug fix but makes sense anyway.