diff options
author | Werner Lemberg <wl@gnu.org> | 2010-07-02 01:27:49 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2010-07-02 01:27:49 +0200 |
commit | c2dabdeed05c1517bf1020ba6b2aa2d9b1c75470 (patch) | |
tree | 916463c7cdbca82ac0856e08d7b80b2cc3036ca6 | |
parent | a2d225e32248ad68e675ed5374518b3dbbab83d0 (diff) | |
parent | 5ef20c8c1d4de12a84b50ba497c2a358c90ec44b (diff) | |
download | freetype2-c2dabdeed05c1517bf1020ba6b2aa2d9b1c75470.tar.gz |
Merge branch 'master' of git.sv.gnu.org:/srv/git/freetype/freetype2
Conflicts:
ChangeLog
-rw-r--r-- | ChangeLog | 18 | ||||
-rw-r--r-- | src/base/ftobjs.c | 19 |
2 files changed, 36 insertions, 1 deletions
@@ -24,6 +24,24 @@ threshold values for `width' and `height'. This is not directly related to the bug fix but makes sense anyway. +2010-07-01 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> + + Initial fix for Savannah bug #30306. + + * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen' + the length of fragment declared in the POST fragment header + and prevent an underflow in length calculation. Some fonts + set the length to zero in spite of the exist of following + 16bit `type'. Reported by Robert Swiecki. + +2010-07-01 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> + + Additional fix for Savannah bug #30248 and #30249. + + * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer + size during gathering PFB fragments embedded in LaserWriter PS + font for Macintosh. Reported by Robert Swiecki. + 2010-06-30 Alexei Podtelezhnikov <apodtele@gmail.com> Minor optimizations by avoiding divisions. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 32d441721..7c2662f6e 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1547,11 +1547,22 @@ goto Exit; if ( FT_READ_USHORT( flags ) ) goto Exit; - rlen -= 2; /* the flags are part of the resource */ + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ + if ( rlen > 2 ) + rlen -= 2; + else + rlen = 0; + if ( ( flags >> 8 ) == type ) len += rlen; else { + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); @@ -1560,6 +1571,8 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; type = flags >> 8; @@ -1579,9 +1592,13 @@ pfb_pos += rlen; } + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; pfb_data[pfb_pos++] = 3; + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); |