ref: 2d15120cb58ce77bf7800c678e6393841c5358fa
parent: d90567b1e6f5d50c259dc554ff294f4588a617ad
author: Werner Lemberg <[email protected]>
date: Mon Oct 19 17:09:13 EDT 2009
Fix handling of `get' and `put' CFF instructions. * src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get, cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of elements for the `get' and `put' operators to 32. * src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define. (CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2009-10-19 Ning Dong <[email protected]>
+
+ Fix handling of `get' and `put' CFF instructions.
+
+ * src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get,
+ cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of
+ elements for the `get' and `put' operators to 32.
+ * src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define.
+ (CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.
+
2009-10-18 Werner Lemberg <[email protected]>
Fix handling of `dup' CFF instruction.
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -2117,7 +2117,7 @@
FT_TRACE4(( " put\n" ));
- if ( idx >= 0 && idx < decoder->len_buildchar )
+ if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
decoder->buildchar[idx] = val;
}
break;
@@ -2130,7 +2130,7 @@
FT_TRACE4(( " get\n" ));
- if ( idx >= 0 && idx < decoder->len_buildchar )
+ if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
val = decoder->buildchar[idx];
args[0] = val;
--- a/src/cff/cffgload.h
+++ b/src/cff/cffgload.h
@@ -30,6 +30,7 @@
#define CFF_MAX_OPERANDS 48
#define CFF_MAX_SUBRS_CALLS 32
+#define CFF_MAX_TRANS_ELEMENTS 32
/*************************************************************************/
@@ -137,8 +138,7 @@
FT_Bool read_width;
FT_Bool width_only;
FT_Int num_hints;
- FT_Fixed* buildchar;
- FT_Int len_buildchar;
+ FT_Fixed buildchar[CFF_MAX_TRANS_ELEMENTS];
FT_UInt num_locals;
FT_UInt num_globals;