Commit 16bd51c81929354a88a0ea0df04e08e5d8bffd04
2009-03-21T07:48:34
Fix Ghostscript Coverity issue #3904. * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against zero value of `runcnt'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
diff --git a/ChangeLog b/ChangeLog
index 69661c1..ace7524 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-03-21 Werner Lemberg <wl@gnu.org>
+
+ Fix Ghostscript Coverity issue #3904.
+
+ * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against
+ zero value of `runcnt'.
+
2009-03-20 Werner Lemberg <wl@gnu.org>
Fix `make multi' run.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 515e734..e588817 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -4,7 +4,7 @@
/* */
/* TrueType GX Font Variation loader */
/* */
-/* Copyright 2004, 2005, 2006, 2007, 2008 by */
+/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */
/* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -16,30 +16,31 @@
/***************************************************************************/
-/***************************************************************************/
-/* */
-/* Apple documents the `fvar', `gvar', `cvar', and `avar' tables at */
-/* */
-/* http://developer.apple.com/fonts/TTRefMan/RM06/Chap6[fgca]var.html */
-/* */
-/* The documentation for `fvar' is inconsistent. At one point it says */
-/* that `countSizePairs' should be 3, at another point 2. It should be 2. */
-/* */
-/* The documentation for `gvar' is not intelligible; `cvar' refers you to */
-/* `gvar' and is thus also incomprehensible. */
-/* */
-/* The documentation for `avar' appears correct, but Apple has no fonts */
-/* with an `avar' table, so it is hard to test. */
-/* */
-/* Many thanks to John Jenkins (at Apple) in figuring this out. */
-/* */
-/* */
-/* Apple's `kern' table has some references to tuple indices, but as there */
-/* is no indication where these indices are defined, nor how to */
-/* interpolate the kerning values (different tuples have different */
-/* classes) this issue is ignored. */
-/* */
-/***************************************************************************/
+ /*************************************************************************/
+ /* */
+ /* Apple documents the `fvar', `gvar', `cvar', and `avar' tables at */
+ /* */
+ /* http://developer.apple.com/fonts/TTRefMan/RM06/Chap6[fgca]var.html */
+ /* */
+ /* The documentation for `fvar' is inconsistent. At one point it says */
+ /* that `countSizePairs' should be 3, at another point 2. It should */
+ /* be 2. */
+ /* */
+ /* The documentation for `gvar' is not intelligible; `cvar' refers you */
+ /* to `gvar' and is thus also incomprehensible. */
+ /* */
+ /* The documentation for `avar' appears correct, but Apple has no fonts */
+ /* with an `avar' table, so it is hard to test. */
+ /* */
+ /* Many thanks to John Jenkins (at Apple) in figuring this out. */
+ /* */
+ /* */
+ /* Apple's `kern' table has some references to tuple indices, but as */
+ /* there is no indication where these indices are defined, nor how to */
+ /* interpolate the kerning values (different tuples have different */
+ /* classes) this issue is ignored. */
+ /* */
+ /*************************************************************************/
#include <ft2build.h>
@@ -158,6 +159,9 @@
runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
first = points[i++] = FT_GET_USHORT();
+ if ( !runcnt )
+ goto Exit;
+
/* first point not included in runcount */
for ( j = 0; j < runcnt; ++j )
points[i++] = (FT_UShort)( first += FT_GET_USHORT() );
@@ -166,11 +170,15 @@
{
first = points[i++] = FT_GET_BYTE();
+ if ( !runcnt )
+ goto Exit;
+
for ( j = 0; j < runcnt; ++j )
points[i++] = (FT_UShort)( first += FT_GET_BYTE() );
}
}
+ Exit:
return points;
}