* src/sfnt/ttcmap.c (tt_cmap2_validate): Fix potential numeric overflow.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
diff --git a/ChangeLog b/ChangeLog
index 65bc409..d3ead8f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2018-03-13 Werner Lemberg <wl@gnu.org>
+ * src/sfnt/ttcmap.c (tt_cmap2_validate): Fix potential numeric
+ overflow.
+
+2018-03-13 Werner Lemberg <wl@gnu.org>
+
Fix cmap format 2 handling (#53320).
The patch introduced for #52646 was not correct.
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 58b49c9..dcde869 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -222,10 +222,10 @@
/***** The following charmap lookup and iteration functions all *****/
/***** assume that the value `charcode' fulfills the following. *****/
/***** *****/
- /***** - For one byte characters, `charcode' is simply the *****/
+ /***** - For one-byte characters, `charcode' is simply the *****/
/***** character code. *****/
/***** *****/
- /***** - For two byte characters, `charcode' is the 2-byte *****/
+ /***** - For two-byte characters, `charcode' is the 2-byte *****/
/***** character code in big endian format. More precisely: *****/
/***** *****/
/***** (charcode >> 8) is the first byte value *****/
@@ -252,11 +252,11 @@
/* subs 518 SUBHEAD[NSUBS] sub-headers array */
/* glyph_ids 518+NSUB*8 USHORT[] glyph ID array */
/* */
- /* The `keys' table is used to map charcode high-bytes to sub-headers. */
+ /* The `keys' table is used to map charcode high bytes to sub-headers. */
/* The value of `NSUBS' is the number of sub-headers defined in the */
/* table and is computed by finding the maximum of the `keys' table. */
/* */
- /* Note that for any n, `keys[n]' is a byte offset within the `subs' */
+ /* Note that for any `n', `keys[n]' is a byte offset within the `subs' */
/* table, i.e., it is the corresponding sub-header index multiplied */
/* by 8. */
/* */
@@ -269,8 +269,8 @@
/* delta 4 SHORT see below */
/* offset 6 USHORT see below */
/* */
- /* A sub-header defines, for each high-byte, the range of valid */
- /* low-bytes within the charmap. Note that the range defined by `first' */
+ /* A sub-header defines, for each high byte, the range of valid */
+ /* low bytes within the charmap. Note that the range defined by `first' */
/* and `count' must be completely included in the interval [0..255] */
/* according to the specification. */
/* */
@@ -360,7 +360,7 @@
/* check range within 0..255 */
if ( valid->level >= FT_VALIDATE_PARANOID )
{
- if ( first_code >= 256 || first_code + code_count > 256 )
+ if ( first_code >= 256 || code_count > 256 - first_code )
FT_INVALID_DATA;
}
@@ -412,7 +412,7 @@
{
FT_UInt char_lo = (FT_UInt)( char_code & 0xFF );
FT_UInt char_hi = (FT_UInt)( char_code >> 8 );
- FT_Byte* p = table + 6; /* keys table */
+ FT_Byte* p = table + 6; /* keys table */
FT_Byte* subs = table + 518; /* subheaders table */
FT_Byte* sub;
@@ -425,8 +425,8 @@
sub = subs; /* jump to first sub-header */
/* check that the sub-header for this byte is 0, which */
- /* indicates that it is really a valid one-byte value */
- /* Otherwise, return 0 */
+ /* indicates that it is really a valid one-byte value; */
+ /* otherwise, return 0 */
/* */
p += char_lo * 2;
if ( TT_PEEK_USHORT( p ) != 0 )
@@ -445,6 +445,7 @@
if ( sub == subs )
goto Exit;
}
+
result = sub;
}