Commit 3788187e0c396952cd7d905c6c61f3ff8e84b2b4
2014-11-22T10:46:47
[type42] Fix Savannah bug #43659. * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115
diff --git a/ChangeLog b/ChangeLog
index 3913619..91d8bbb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
2014-11-22 Werner Lemberg <wl@gnu.org>
+ [type42] Fix Savannah bug #43659.
+
+ * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
+
+ * src/type42/t42parse.c (t42_parse_sfnts): Always set
+ `face->ttf_size' directly. This ensures a correct stream size in
+ the call to `FT_Open_Face', which follows after parsing, even for
+ buggy input data.
+ Fix error messages.
+
+2014-11-22 Werner Lemberg <wl@gnu.org>
+
[cff] Fix Savannah bug #43658.
* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle
diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
index 798ebdb..7a9cb57 100644
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -47,6 +47,12 @@
if ( FT_ALLOC( face->ttf_data, 12 ) )
goto Exit;
+ /* while parsing the font we always update `face->ttf_size' so that */
+ /* even in case of buggy data (which might lead to premature end of */
+ /* scanning without causing an error) the call to `FT_Open_Face' in */
+ /* `T42_Face_Init' passes the correct size */
+ face->ttf_size = 12;
+
error = t42_parser_init( parser,
face->root.stream,
memory,
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index a60e216..daf304d 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -524,7 +524,7 @@
FT_Byte* limit = parser->root.limit;
FT_Error error;
FT_Int num_tables = 0;
- FT_ULong count, ttf_size = 0;
+ FT_ULong count;
FT_Long n, string_size, old_string_size, real_size;
FT_Byte* string_buf = NULL;
@@ -617,7 +617,7 @@
if ( limit - parser->root.cursor < string_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
@@ -657,18 +657,18 @@
}
else
{
- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
- status = BEFORE_TABLE_DIR;
- ttf_size = 12 + 16 * num_tables;
+ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
+ status = BEFORE_TABLE_DIR;
+ face->ttf_size = 12 + 16 * num_tables;
- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
+ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
goto Fail;
}
/* fall through */
case BEFORE_TABLE_DIR:
/* the offset table is read; read the table directory */
- if ( count < ttf_size )
+ if ( count < face->ttf_size )
{
face->ttf_data[count++] = string_buf[n];
continue;
@@ -687,24 +687,23 @@
len = FT_PEEK_ULONG( p );
/* Pad to a 4-byte boundary length */
- ttf_size += ( len + 3 ) & ~3;
+ face->ttf_size += ( len + 3 ) & ~3;
}
- status = OTHER_TABLES;
- face->ttf_size = ttf_size;
+ status = OTHER_TABLES;
/* there are no more than 256 tables, so no size check here */
if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
- ttf_size + 1 ) )
+ face->ttf_size + 1 ) )
goto Fail;
}
/* fall through */
case OTHER_TABLES:
/* all other tables are just copied */
- if ( count >= ttf_size )
+ if ( count >= face->ttf_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}