diff options
| author | Werner Lemberg <wl@gnu.org> | 2018-03-13 11:11:16 +0100 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2018-03-13 11:11:16 +0100 |
| commit | 5bd76524ef786d942b28dc52618aeda3aebfa3d6 (patch) | |
| tree | 56a454b5cfe27daaeb2d092915f17848e83d275e | |
| parent | 78cded2c5c687d06c5b74b308fb54af7f807dc0d (diff) | |
| download | freetype2-5bd76524ef786d942b28dc52618aeda3aebfa3d6.tar.gz | |
* src/sfnt/ttcmap.c (tt_cmap2_validate): Fix potential numeric
overflow.
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | src/sfnt/ttcmap.c | 21 |
2 files changed, 16 insertions, 10 deletions
@@ -1,5 +1,10 @@ 2018-03-13 Werner Lemberg <wl@gnu.org> + * src/sfnt/ttcmap.c (tt_cmap2_validate): Fix potential numeric + overflow. + +2018-03-13 Werner Lemberg <wl@gnu.org> + Fix cmap format 2 handling (#53320). The patch introduced for #52646 was not correct. diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 58b49c94d..dcde8693e 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -222,10 +222,10 @@ /***** The following charmap lookup and iteration functions all *****/ /***** assume that the value `charcode' fulfills the following. *****/ /***** *****/ - /***** - For one byte characters, `charcode' is simply the *****/ + /***** - For one-byte characters, `charcode' is simply the *****/ /***** character code. *****/ /***** *****/ - /***** - For two byte characters, `charcode' is the 2-byte *****/ + /***** - For two-byte characters, `charcode' is the 2-byte *****/ /***** character code in big endian format. More precisely: *****/ /***** *****/ /***** (charcode >> 8) is the first byte value *****/ @@ -252,11 +252,11 @@ /* subs 518 SUBHEAD[NSUBS] sub-headers array */ /* glyph_ids 518+NSUB*8 USHORT[] glyph ID array */ /* */ - /* The `keys' table is used to map charcode high-bytes to sub-headers. */ + /* The `keys' table is used to map charcode high bytes to sub-headers. */ /* The value of `NSUBS' is the number of sub-headers defined in the */ /* table and is computed by finding the maximum of the `keys' table. */ /* */ - /* Note that for any n, `keys[n]' is a byte offset within the `subs' */ + /* Note that for any `n', `keys[n]' is a byte offset within the `subs' */ /* table, i.e., it is the corresponding sub-header index multiplied */ /* by 8. */ /* */ @@ -269,8 +269,8 @@ /* delta 4 SHORT see below */ /* offset 6 USHORT see below */ /* */ - /* A sub-header defines, for each high-byte, the range of valid */ - /* low-bytes within the charmap. Note that the range defined by `first' */ + /* A sub-header defines, for each high byte, the range of valid */ + /* low bytes within the charmap. Note that the range defined by `first' */ /* and `count' must be completely included in the interval [0..255] */ /* according to the specification. */ /* */ @@ -360,7 +360,7 @@ /* check range within 0..255 */ if ( valid->level >= FT_VALIDATE_PARANOID ) { - if ( first_code >= 256 || first_code + code_count > 256 ) + if ( first_code >= 256 || code_count > 256 - first_code ) FT_INVALID_DATA; } @@ -412,7 +412,7 @@ { FT_UInt char_lo = (FT_UInt)( char_code & 0xFF ); FT_UInt char_hi = (FT_UInt)( char_code >> 8 ); - FT_Byte* p = table + 6; /* keys table */ + FT_Byte* p = table + 6; /* keys table */ FT_Byte* subs = table + 518; /* subheaders table */ FT_Byte* sub; @@ -425,8 +425,8 @@ sub = subs; /* jump to first sub-header */ /* check that the sub-header for this byte is 0, which */ - /* indicates that it is really a valid one-byte value */ - /* Otherwise, return 0 */ + /* indicates that it is really a valid one-byte value; */ + /* otherwise, return 0 */ /* */ p += char_lo * 2; if ( TT_PEEK_USHORT( p ) != 0 ) @@ -445,6 +445,7 @@ if ( sub == subs ) goto Exit; } + result = sub; } |