diff options
author | Werner Lemberg <wl@gnu.org> | 2017-07-12 00:24:48 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2017-07-12 00:24:48 +0200 |
commit | 3d083fc213c7df18662e1c452b2f8ad56bfa2c4c (patch) | |
tree | 8453e502a5def8a71abc5ad13d16ea0b1291a73d | |
parent | 39af82ebbf3b55f45300eccc7660f388efd09d0b (diff) | |
download | freetype2-3d083fc213c7df18662e1c452b2f8ad56bfa2c4c.tar.gz |
* src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo.
Also improve tracing message.
Problem reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=738919
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/truetype/ttpload.c | 8 |
2 files changed, 14 insertions, 4 deletions
@@ -1,3 +1,13 @@ +2017-07-12 Werner Lemberg <wl@gnu.org> + + * src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo. + + Also improve tracing message. + + Problem reported as + + https://bugs.chromium.org/p/chromium/issues/detail?id=738919 + 2017-07-07 Werner Lemberg <wl@gnu.org> [cff] Integer overflow. diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c index 70ac15da4..bcf6b34f6 100644 --- a/src/truetype/ttpload.c +++ b/src/truetype/ttpload.c @@ -247,13 +247,13 @@ if ( pos2 > face->glyf_len ) { /* We try to sanitize the last `loca' entry. */ - if ( gindex == face->num_locations - 1 ) + if ( gindex == face->num_locations - 2 ) { FT_TRACE1(( "tt_face_get_location:" - " too large offset (0x%08lx) found for glyph index %ld,\n" + " too large size (%ld bytes) found for glyph index %ld,\n" " " - " truncating at the end of `glyf' table (0x%08lx)\n", - pos2, gindex + 1, face->glyf_len )); + " truncating at the end of `glyf' table to %ld bytes\n", + pos2 - pos1, gindex, face->glyf_len - pos1 )); pos2 = face->glyf_len; } else |