Commit 08c628d128e6fba3a7a7be610d459b0d7f556f07
2014-02-26T14:18:03
[cff] Fix Savannah bug #41693. * src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
diff --git a/ChangeLog b/ChangeLog
index b6a419d..fb0d6b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2014-02-26 Wermer Lemberg <wl@gnu.org>
+ [cff] Fix Savannah bug #41693.
+
+ * src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
+
+2014-02-26 Wermer Lemberg <wl@gnu.org>
+
[bdf] Fix Savannah bug #41692.
bdflib puts data from the input stream into a buffer in chunks of
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index ff271f3..d9bec59 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -4,7 +4,7 @@
/* */
/* OpenType and CFF data/program tables loader (body). */
/* */
-/* Copyright 1996-2013 by */
+/* Copyright 1996-2014 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -689,6 +689,13 @@
if ( FT_READ_USHORT( num_ranges ) )
goto Exit;
+ if ( !num_ranges )
+ {
+ FT_TRACE0(( "CFF_Load_FD_Select: empty FDSelect array\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
fdselect->data_size = num_ranges * 3 + 2;
Load_Data:
@@ -719,7 +726,7 @@
break;
case 3:
- /* first, compare to cache */
+ /* first, compare to the cache */
if ( (FT_UInt)( glyph_index - fdselect->cache_first ) <
fdselect->cache_count )
{
@@ -727,7 +734,7 @@
break;
}
- /* then, lookup the ranges array */
+ /* then, look up the ranges array */
{
FT_Byte* p = fdselect->data;
FT_Byte* p_limit = p + fdselect->data_size;
@@ -750,7 +757,7 @@
/* update cache */
fdselect->cache_first = first;
- fdselect->cache_count = limit-first;
+ fdselect->cache_count = limit - first;
fdselect->cache_fd = fd2;
break;
}