ref: 6862024854c64d7f7bbb80d4909c19a45c4f7d9a
parent: beecf80a6deecbaf5d264d4f864451bde4fe98b8
author: Werner Lemberg <[email protected]>
date: Fri Dec 16 06:15:17 EST 2016
[cff, truetype] Remove compiler warnings; fix `make multi'. * src/cff/cf2font.h: Include `cffload.h'. * src/cff/cffload.c: Include FT_MULTIPLE_MASTERS_H and FT_SERVICE_MULTIPLE_MASTERS_H. (cff_vstore_load): Eliminate `vsSize'. (cff_load_private_dict): Tag as `FT_LOCAL_DEF'. * src/cff/cffload.h: Include `cffobjs.h'. Provide declaration for `cff_load_private_dict'. * src/truetype/ttgxvar.c (ft_var_load_hvar): Eliminate `minorVersion' and `map_offset'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,22 @@
2016-12-16 Werner Lemberg <[email protected]>
+ [cff, truetype] Remove compiler warnings; fix `make multi'.
+
+ * src/cff/cf2font.h: Include `cffload.h'.
+
+ * src/cff/cffload.c: Include FT_MULTIPLE_MASTERS_H and
+ FT_SERVICE_MULTIPLE_MASTERS_H.
+ (cff_vstore_load): Eliminate `vsSize'.
+ (cff_load_private_dict): Tag as `FT_LOCAL_DEF'.
+
+ * src/cff/cffload.h: Include `cffobjs.h'.
+ Provide declaration for `cff_load_private_dict'.
+
+ * src/truetype/ttgxvar.c (ft_var_load_hvar): Eliminate
+ `minorVersion' and `map_offset'.
+
+2016-12-16 Werner Lemberg <[email protected]>
+
[cff] Fix heap buffer overflow (#49858).
* src/cff/cffparse.c (cff_parser_run): Add one more stack size
--- a/src/cff/cf2font.h
+++ b/src/cff/cf2font.h
@@ -42,6 +42,7 @@
#include "cf2ft.h"
#include "cf2blues.h"
+#include "cffload.h"
FT_BEGIN_HEADER
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -23,6 +23,11 @@
#include FT_TRUETYPE_TAGS_H
#include FT_TYPE1_TABLES_H
+#ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT
+#include FT_MULTIPLE_MASTERS_H
+#include FT_SERVICE_MULTIPLE_MASTERS_H
+#endif
+
#include "cffload.h"
#include "cffparse.h"
@@ -1126,15 +1131,15 @@
/* no offset means no vstore to parse */
if ( offset )
{- FT_UInt vsSize; /* currently unused */
FT_UInt vsOffset;
FT_UInt format;
FT_ULong regionListOffset;
- /* we need to parse the table to determine its size */
+ /* we need to parse the table to determine its size; */
+ /* skip table length */
if ( FT_STREAM_SEEK( base_offset + offset ) ||
- FT_READ_USHORT( vsSize ) )
+ FT_STREAM_SKIP( 2 ) )
goto Exit;
/* actual variation store begins after the length */
@@ -1824,7 +1829,7 @@
/* so NDV has not been set for CFF2 variation. */
/* */
/* `cff_slot_load' must call this function each time NDV changes. */
- static FT_Error
+ FT_LOCAL_DEF( FT_Error )
cff_load_private_dict( CFF_Font font,
CFF_SubFont subfont,
FT_UInt lenNDV,
--- a/src/cff/cffload.h
+++ b/src/cff/cffload.h
@@ -23,6 +23,7 @@
#include <ft2build.h>
#include "cfftypes.h"
#include "cffparse.h"
+#include "cffobjs.h" /* for CFF_Face */
FT_BEGIN_HEADER
@@ -71,6 +72,12 @@
FT_LOCAL( void )
cff_font_done( CFF_Font font );
+
+ FT_LOCAL( FT_Error )
+ cff_load_private_dict( CFF_Font font,
+ CFF_SubFont subfont,
+ FT_UInt lenNDV,
+ FT_Fixed* NDV );
FT_LOCAL( FT_Byte )
cff_fd_select_get( CFF_FDSelect fdselect,
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -433,11 +433,9 @@
FT_Error error;
FT_UShort majorVersion;
- FT_UShort minorVersion;
FT_ULong table_len;
FT_ULong table_offset;
FT_ULong store_offset;
- FT_ULong map_offset;
FT_ULong* dataOffsetArray = NULL;
@@ -455,8 +453,9 @@
table_offset = FT_STREAM_POS();
+ /* skip minor version */
if ( FT_READ_USHORT( majorVersion ) ||
- FT_READ_USHORT( minorVersion ) )
+ FT_STREAM_SKIP( 2 ) )
goto Exit;
if ( majorVersion != 1 )
{@@ -465,8 +464,9 @@
goto Exit;
}
+ /* skip map offset */
if ( FT_READ_ULONG( store_offset ) ||
- FT_READ_ULONG( map_offset ) )
+ FT_STREAM_SKIP( 4 ) )
goto Exit;
/* parse item variation store */