ref: 3788187e0c396952cd7d905c6c61f3ff8e84b2b4
parent: 5f201ab5c24cb69bc96b724fd66e739928d6c5e2
author: Werner Lemberg <[email protected]>
date: Sat Nov 22 05:46:47 EST 2014
[type42] Fix Savannah bug #43659. * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
2014-11-22 Werner Lemberg <[email protected]>
+ [type42] Fix Savannah bug #43659.
+
+ * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
+
+ * src/type42/t42parse.c (t42_parse_sfnts): Always set
+ `face->ttf_size' directly. This ensures a correct stream size in
+ the call to `FT_Open_Face', which follows after parsing, even for
+ buggy input data.
+ Fix error messages.
+
+2014-11-22 Werner Lemberg <[email protected]>
+
[cff] Fix Savannah bug #43658.
* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -47,6 +47,12 @@
if ( FT_ALLOC( face->ttf_data, 12 ) )
goto Exit;
+ /* while parsing the font we always update `face->ttf_size' so that */
+ /* even in case of buggy data (which might lead to premature end of */
+ /* scanning without causing an error) the call to `FT_Open_Face' in */
+ /* `T42_Face_Init' passes the correct size */
+ face->ttf_size = 12;
+
error = t42_parser_init( parser,
face->root.stream,
memory,
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -524,7 +524,7 @@
FT_Byte* limit = parser->root.limit;
FT_Error error;
FT_Int num_tables = 0;
- FT_ULong count, ttf_size = 0;
+ FT_ULong count;
FT_Long n, string_size, old_string_size, real_size;
FT_Byte* string_buf = NULL;
@@ -617,7 +617,7 @@
if ( limit - parser->root.cursor < string_size )
{- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
@@ -657,11 +657,11 @@
}
else
{- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
- status = BEFORE_TABLE_DIR;
- ttf_size = 12 + 16 * num_tables;
+ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
+ status = BEFORE_TABLE_DIR;
+ face->ttf_size = 12 + 16 * num_tables;
- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
+ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
goto Fail;
}
/* fall through */
@@ -668,7 +668,7 @@
case BEFORE_TABLE_DIR:
/* the offset table is read; read the table directory */
- if ( count < ttf_size )
+ if ( count < face->ttf_size )
{face->ttf_data[count++] = string_buf[n];
continue;
@@ -687,15 +687,14 @@
len = FT_PEEK_ULONG( p );
/* Pad to a 4-byte boundary length */
- ttf_size += ( len + 3 ) & ~3;
+ face->ttf_size += ( len + 3 ) & ~3;
}
- status = OTHER_TABLES;
- face->ttf_size = ttf_size;
+ status = OTHER_TABLES;
/* there are no more than 256 tables, so no size check here */
if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
- ttf_size + 1 ) )
+ face->ttf_size + 1 ) )
goto Fail;
}
/* fall through */
@@ -702,9 +701,9 @@
case OTHER_TABLES:
/* all other tables are just copied */
- if ( count >= ttf_size )
+ if ( count >= face->ttf_size )
{- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}