Commit 2cdc4562f873237f1c77d43540537c7a721d3fd8
2014-12-04T06:10:16
[cff] Fix Savannah bug #43661. * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM, cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after hintmask is constructed. * src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to avoid reading past end of hintmask.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
diff --git a/ChangeLog b/ChangeLog
index 79c5b89..6a25737 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2014-12-04 Dave Arnold <darnold@adobe.com>
+
+ [cff] Fix Savannah bug #43661.
+
+ * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,
+ cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after
+ hintmask is constructed.
+
+ * src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to
+ avoid reading past end of hintmask.
+
2014-12-03 Werner Lemberg <wl@gnu.org>
docs/CHANGES: Updated.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 81049f4..28a892b 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -794,9 +794,12 @@
maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask );
/* use the hStem hints only, which are first in the mask */
- /* TODO: compare this to cffhintmaskGetBitCount */
bitCount = cf2_arrstack_size( hStemHintArray );
+ /* Defense-in-depth. Should never return here. */
+ if ( bitCount > hintMask->bitCount )
+ return;
+
/* synthetic embox hints get highest priority */
if ( font->blues.doEmBoxHints )
{
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 5610917..a269606 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -4,7 +4,7 @@
/* */
/* Adobe's CFF Interpreter (body). */
/* */
-/* Copyright 2007-2013 Adobe Systems Incorporated. */
+/* Copyright 2007-2014 Adobe Systems Incorporated. */
/* */
/* This software, and all works of authorship, whether in source or */
/* object code form as indicated by the copyright notice(s) included */
@@ -593,8 +593,11 @@
/* never add hints after the mask is computed */
if ( cf2_hintmask_isValid( &hintMask ) )
+ {
FT_TRACE4(( "cf2_interpT2CharString:"
" invalid horizontal hint mask\n" ));
+ break;
+ }
cf2_doStems( font,
opStack,
@@ -614,8 +617,11 @@
/* never add hints after the mask is computed */
if ( cf2_hintmask_isValid( &hintMask ) )
+ {
FT_TRACE4(( "cf2_interpT2CharString:"
" invalid vertical hint mask\n" ));
+ break;
+ }
cf2_doStems( font,
opStack,
@@ -1141,15 +1147,16 @@
/* `cf2_hintmask_read' (which also traces the mask bytes) */
FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" ));
- /* if there are arguments on the stack, there this is an */
- /* implied cf2_cmdVSTEMHM */
- if ( cf2_stack_count( opStack ) != 0 )
+ /* never add hints after the mask is computed */
+ if ( cf2_stack_count( opStack ) > 1 &&
+ cf2_hintmask_isValid( &hintMask ) )
{
- /* never add hints after the mask is computed */
- if ( cf2_hintmask_isValid( &hintMask ) )
- FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
+ FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
+ break;
}
+ /* if there are arguments on the stack, there this is an */
+ /* implied cf2_cmdVSTEMHM */
cf2_doStems( font,
opStack,
&vStemHintArray,