Problem reported by malc <av1474@comtv.ru>.
* src/cff/cffgload.c (cff_decoder_parse_charstrings)
<cff_op_hintmask>: It is possible that there is just a single byte
after the `hintmask' or `cntrmask', e.g., a `return' instruction.
Fix for Savannah bug #30059.
* src/cache/ftccmap.c (FTC_CMapCache_Lookup): Replace `16' the
minimum character code passed by a legacy rogue client by...
* include/freetype/config/ftoption.h (FT_MAX_CHARMAP_CACHEABLE):
This. It is undefined when FT_CONFIG_OPTION_OLD_INTERNALS is
undefined (thus the rogue client compatibility is not required).
* src/cff/cffobjs.c (cff_face_init): Abort the automatic
selection or synthesis of Unicode cmap subtable when the charmap
index exceeds FT_MAX_CHARMAP_CACHEABLE.
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Issue error message
when the charmap index exceeds FT_MAX_CHARMAP_CACHEABLE.
* src/base/ftobjs.c (find_unicode_charmap): When Unicode charmap
is found after FT_MAX_CHARMAP_CACHEABLE, ignore it and search
earlier one.
(find_variant_selector_charmap): When UVS charmap is found after
FT_MAX_CHARMAP_CACHEABLE, ignore it and search earlier one.
(FT_Select_Charmap): When a charmap matching with requested
encoding but after FT_MAX_CHARMAP_CACHEABLE, ignore and search
earlier one.
(FT_Set_Charmap): When a charmap matching with requested
charmap but after FT_MAX_CHARMAP_CACHEABLE, ignore and search
earlier one.
(FT_Get_Charmap_Index): When a requested charmap is found
after FT_MAX_CHARMAP_CACHEABLE, return the inverted charmap
index.
* src/base/ftobjs.c (Mac_Read_POST_Resource): If the type
of the POST fragment is 0, the segment is completely ignored.
The declared length of the segment is not cared at all.
According to Adobe Technical Note 5040, type 0 segment is
comment only and should not be loaded for the interpreter.
Reported by Robert Swiecki.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
the length of fragment declared in the POST fragment header
and prevent an underflow in length calculation. Some fonts
set the length to zero in spite of the exist of following
16bit `type'. Reported by Robert Swiecki.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
size during gathering PFB fragments embedded in LaserWriter PS
font for Macintosh. Reported by Robert Swiecki.
* src/smooth/ftgrays.c (gray_render_span): Use cast to `unsigned
int' to avoid integer overflow.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Use smaller
threshold values for `width' and `height'. This is not directly
related to the bug fix but makes sense anyway.
* src/cff/cffgload.c (cff_decoder_parse_charstrings)
<cff_op_hintmask>: Ensure that we don't exceed `limit' while parsing
the bit masks of the `hintmask' and `cntrmask' operators.
* src/base/ftstream.c (FT_Stream_EnterFrame): Exit with error
if the frame size is larger than the stream size.
* src/base/ftsystem.c (ft_ansi_stream_io): Exit with error if
seeking a position larger than the stream size.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the error during
reading a PFB fragment embedded in LaserWriter PS font for Macintosh.
Reported by Robert Swiecki.
* src/bdf/bdflib.c (_bdf_readstream): Use special error code to
indicate a redo operation.
(_bdf_parse_start): Handle `CHARS' keyword here too and pass current
input line to `_bdf_parse_glyph'.
* include/freetype/fterrdef.h
(BDF_Err_Missing_Fontboundingbox_Field): New error code.
* src/bdf/bdflib.c (_bdf_parse_start): Check for missing
`FONTBOUNDINGBOX' field.
Avoid memory leak if there are multiple `FONT' lines (which is
invalid but doesn't hurt).
Point numbers for FreeType's implementation of hinting masks are
collected before the final number of points of a glyph has been
determined; in particular, the code for handling the `endchar'
opcode can reduce the number of points.
* src/pshinter/pshalgo.c (psh_glyph_find_strong_points): Assure that
`end_point' is not larger than `glyph->num_points'.
This bug has been introduced with commit 2415cbf3.
* src/base/ftobjs.c (FT_Get_First_Char, FT_Get_Next_Char): Protect
against endless loop in case of corrupted font header data.