* src/sfnt/ttload.c (TT_Load_Names): simplifying and securing the

        names table loader. Invalid individual name entries are now handled
        correctly. This allows the loading of very buggy fonts like
        "foxjump.ttf" without allocating tons of memory and causing crashes..

2 files changed, 47 insertions, 35 deletions

diff --git a/ChangeLog b/ChangeLog
index bfdcbd054..6a3123aa7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,18 @@
+2002-02-28  David Turner  <david@freetype.org>
+
+        * STABLE branch created, the HEAD is used for the major re-factoring
+        needed to get FreeType 2.2 out
+
+        * src/sfnt/ttload.c (TT_Load_Names): simplifying and securing the
+        names table loader. Invalid individual name entries are now handled
+        correctly. This allows the loading of very buggy fonts like
+        "foxjump.ttf" without allocating tons of memory and causing crashes..
+
 2002-02-08  David Turner  <david@freetype.org>
 
+	* Version 2.0.8 released.
+	=========================
+
         * docs/CHANGES: updating for 2.0.8
 
         * include/freetype/freetype.h: setting PATCH_LEVEL to 8 and
@@ -43,7 +56,7 @@
 	better (delaying format checks out of FT_Access_Frame ..
 	FT_Forget_Frame blocks to avoid leaving the stream in an incorrect
 	state when encountering an invalid PCF font).
-	
+
 	* src/pcf/pcfdriver.c (PCF_Done_Face): Renamed to ...
 	(PCF_Face_Done): This.
 	(PCF_Init_Face): Renamed to ...
@@ -53,13 +66,13 @@
 	(PCF_Get_Next_Char): Renamed to ...
 	(PCF_Char_Get_Next): This.
 	(pcf_driver_class): Updated.
-	
+
 	* src/pcf/pcf.h (PCF_Done_Face): Removed.
 
 2002-02-06  Detlef Würkner  <TetiSoft@apg.lahn.de>
 
 	* src/pcf/pcfdriver.c (FT_Done_Face): Fixed small memory leak.
-        
+
 	* src/pcf/pcfread.c (pcf_load_font): Now handles the "AVERAGE_WIDTH"
 	property to return correct character pixel (width/height) pairs for
 	embedded bitmaps.
@@ -359,7 +372,7 @@
 
 	* src/cff/cffgload.c (CFF_Parse_CharStrings), src/psaux/t1decode.c
 	(T1_Decoder_Parse_Charstrings), src/pshinter/pshalgo2.c (*), Fixed a
-	bug where the X and Y axis where inversed in the postscript hinter. 
+	bug where the X and Y axis where inversed in the postscript hinter.
 	This caused problem when displaying on non-square surfaces.
 
 	* src/pshinter/pshalgo2.c: s/vertical/dimension/.
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index f84cc047a..8dc5cdc2a 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -923,7 +923,8 @@
     FT_Memory  memory = stream->memory;
 
     FT_ULong   table_pos, table_len;
-    FT_ULong   storageSize;
+    FT_ULong   storageOffset, storageSize;
+    FT_Byte*   storage;
 
     TT_NameTable*  names;
 
@@ -973,13 +974,26 @@
     if ( READ_Fields( name_table_fields, names ) )
       goto Exit;
 
+    /* check the 'storageOffset' field */
+    storageOffset = names->storageOffset;
+    if ( storageOffset <  (FT_ULong)(6 + 12*names->numNameRecords) ||
+         table_len     <= storageOffset                            )
+    {
+      FT_ERROR(( "TT.load_names: invalid 'name' table\n" ));
+      error = SFNT_Err_Name_Table_Missing;
+      goto Exit;
+    }
+
+    storageSize = (FT_ULong)(table_len - storageOffset);
+
     /* Allocate the array of name records. */
-    if ( ALLOC_ARRAY( names->names,
-                      names->numNameRecords,
-                      TT_NameRec )                   ||
+    if ( ALLOC( names->names,
+                names->numNameRecords*sizeof(TT_NameRec) + storageSize )  ||
          ACCESS_Frame( names->numNameRecords * 12L ) )
       goto Exit;
 
+    storage = (FT_Byte*)(names->names + names->numNameRecords);
+
     /* Load the name records and determine how much storage is needed */
     /* to hold the strings themselves.                                */
     {
@@ -987,8 +1001,6 @@
       TT_NameRec*  limit = cur + names->numNameRecords;
 
 
-      storageSize = 0;
-
       for ( ; cur < limit; cur ++ )
       {
         FT_ULong  upper;
@@ -997,31 +1009,16 @@
         if ( READ_Fields( name_record_fields, cur ) )
           break;
 
-        upper = (FT_ULong)( cur->stringOffset + cur->stringLength );
-        if ( upper > storageSize )
-          storageSize = upper;
+        /* invalid name entries will have "cur->string" set to NULL !! */
+        if ( (FT_ULong)(cur->stringOffset + cur->stringLength) < storageSize )
+          cur->string = storage + cur->stringOffset;
       }
     }
 
     FORGET_Frame();
 
-    if ( storageSize > 0 )
-    {
-      /* allocate the name storage area in memory, then read it */
-      if ( ALLOC( names->storage, storageSize )               ||
-           FILE_Read_At( table_pos + names->storageOffset,
-                         names->storage, storageSize ) )
-        goto Exit;
-
-      /* Go through and assign the string pointers to the name records. */
-      {
-        TT_NameRec*  cur   = names->names;
-        TT_NameRec*  limit = cur + names->numNameRecords;
-
-
-        for ( ; cur < limit; cur++ )
-          cur->string = names->storage + cur->stringOffset;
-      }
+    if (error)
+      goto Exit;
 
 #ifdef FT_DEBUG_LEVEL_TRACE
 
@@ -1036,7 +1033,7 @@
           FT_UInt  j;
 
 
-          FT_TRACE3(( "%d %d %x %d\n  ",
+          FT_TRACE3(( "(%2d %2d %4x %2d)  ",
                        cur->platformID,
                        cur->encodingID,
                        cur->languageID,
@@ -1047,19 +1044,21 @@
           if ( cur->string )
             for ( j = 0; j < (FT_UInt)cur->stringLength; j++ )
             {
-              FT_Char  c = *( cur->string + j );
+              FT_Byte  c = *(FT_Byte*)(cur->string + j);
 
 
-              if ( (FT_Byte)c < 128 )
+              if ( c >= 32 && c < 128 )
                 FT_TRACE3(( "%c", c ));
             }
+          else
+            FT_TRACE3(( "INVALID ENTRY !!\n" ));
+
+          FT_TRACE3(( "\n" ));
         }
       }
-      FT_TRACE3(( "\n" ));
 
 #endif /* FT_DEBUG_LEVEL_TRACE */
 
-    }
     FT_TRACE2(( "loaded\n" ));
 
     /* everything went well, update face->num_names */