summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWerner Lemberg <wl@gnu.org>2010-07-02 01:27:49 +0200
committerWerner Lemberg <wl@gnu.org>2010-07-02 01:27:49 +0200
commitc2dabdeed05c1517bf1020ba6b2aa2d9b1c75470 (patch)
tree916463c7cdbca82ac0856e08d7b80b2cc3036ca6
parenta2d225e32248ad68e675ed5374518b3dbbab83d0 (diff)
parent5ef20c8c1d4de12a84b50ba497c2a358c90ec44b (diff)
downloadfreetype2-c2dabdeed05c1517bf1020ba6b2aa2d9b1c75470.tar.gz
Merge branch 'master' of git.sv.gnu.org:/srv/git/freetype/freetype2
Conflicts: ChangeLog
Diffstat
-rw-r--r--ChangeLog18
-rw-r--r--src/base/ftobjs.c19
2 files changed, 36 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index ac5842291..4073342f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,24 @@
threshold values for `width' and `height'. This is not directly
related to the bug fix but makes sense anyway.
+2010-07-01 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
+ Initial fix for Savannah bug #30306.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
+ the length of fragment declared in the POST fragment header
+ and prevent an underflow in length calculation. Some fonts
+ set the length to zero in spite of the exist of following
+ 16bit `type'. Reported by Robert Swiecki.
+
+2010-07-01 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
+ Additional fix for Savannah bug #30248 and #30249.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
+ size during gathering PFB fragments embedded in LaserWriter PS
+ font for Macintosh. Reported by Robert Swiecki.
+
2010-06-30 Alexei Podtelezhnikov <apodtele@gmail.com>
Minor optimizations by avoiding divisions.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 32d441721..7c2662f6e 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1547,11 +1547,22 @@
goto Exit;
if ( FT_READ_USHORT( flags ) )
goto Exit;
- rlen -= 2; /* the flags are part of the resource */
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+ i, offsets[i], rlen, flags ));
+
+ /* the flags are part of the resource, so rlen >= 2. */
+ /* but some fonts declare rlen = 0 for empty fragment */
+ if ( rlen > 2 )
+ rlen -= 2;
+ else
+ rlen = 0;
+
if ( ( flags >> 8 ) == type )
len += rlen;
else
{
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1560,6 +1571,8 @@
if ( ( flags >> 8 ) == 5 ) /* End of font mark */
break;
+ if ( pfb_pos + 6 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_pos++] = 0x80;
type = flags >> 8;
@@ -1579,9 +1592,13 @@
pfb_pos += rlen;
}
+ if ( pfb_pos + 2 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_pos++] = 0x80;
pfb_data[pfb_pos++] = 3;
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
View Lorry Controller Status