[truetype] Fix change from 2013-11-20. Problem reported by Akira Kakuto <kakuto@fuk.kindai.ac.jp>. * src/truetype/ttgload.c (TT_Load_Simple_Glyph): Protect call to `Update_Max' with both a TT_USE_BYTECODE_INTERPRETER guard and a `IS_HINTED' clause. Also remove redundant check using `maxSizeOfInstructions' – in simple glyphs, the bytecode data comes before the outline data, and a validity test for this is already present.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
diff --git a/ChangeLog b/ChangeLog
index 196bd76..ca4699f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2013-12-02 Werner Lemberg <wl@gnu.org>
+
+ [truetype] Fix change from 2013-11-20.
+
+ Problem reported by Akira Kakuto <kakuto@fuk.kindai.ac.jp>.
+
+ * src/truetype/ttgload.c (TT_Load_Simple_Glyph): Protect call to
+ `Update_Max' with both a TT_USE_BYTECODE_INTERPRETER guard and a
+ `IS_HINTED' clause.
+ Also remove redundant check using `maxSizeOfInstructions' – in
+ simple glyphs, the bytecode data comes before the outline data, and
+ a validity test for this is already present.
+
2013-11-27 Werner Lemberg <wl@gnu.org>
[autofit] Fix use of dumping functions in `ftgrid' demo program.
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index cc62f93..d459ec1 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -348,8 +348,7 @@
FT_GlyphLoader gloader = load->gloader;
FT_Int n_contours = load->n_contours;
FT_Outline* outline;
- TT_Face face = (TT_Face)load->face;
- FT_UShort n_ins, max_ins;
+ FT_UShort n_ins;
FT_Int n_points;
FT_ULong tmp;
@@ -418,30 +417,6 @@
FT_TRACE5(( " Instructions size: %u\n", n_ins ));
/* check it */
- max_ins = face->max_profile.maxSizeOfInstructions;
- if ( n_ins > max_ins )
- {
- /* don't trust `maxSizeOfInstructions'; */
- /* only do a rough safety check */
- if ( (FT_Int)n_ins > load->byte_len )
- {
- FT_TRACE1(( "TT_Load_Simple_Glyph:"
- " too many instructions (%d) for glyph with length %d\n",
- n_ins, load->byte_len ));
- return FT_THROW( Too_Many_Hints );
- }
-
- tmp = load->exec->glyphSize;
- error = Update_Max( load->exec->memory,
- &tmp,
- sizeof ( FT_Byte ),
- (void*)&load->exec->glyphIns,
- n_ins );
- load->exec->glyphSize = (FT_UShort)tmp;
- if ( error )
- return error;
- }
-
if ( ( limit - p ) < n_ins )
{
FT_TRACE0(( "TT_Load_Simple_Glyph: instruction count mismatch\n" ));
@@ -453,6 +428,20 @@
if ( IS_HINTED( load->load_flags ) )
{
+ /* we don't trust `maxSizeOfInstructions' in the `maxp' table */
+ /* and thus update the bytecode array size by ourselves */
+
+ tmp = load->exec->glyphSize;
+ error = Update_Max( load->exec->memory,
+ &tmp,
+ sizeof ( FT_Byte ),
+ (void*)&load->exec->glyphIns,
+ n_ins );
+
+ load->exec->glyphSize = (FT_UShort)tmp;
+ if ( error )
+ return error;
+
load->glyph->control_len = n_ins;
load->glyph->control_data = load->exec->glyphIns;
@@ -1244,12 +1233,13 @@
return FT_THROW( Too_Many_Hints );
}
- tmp = loader->exec->glyphSize;
+ tmp = loader->exec->glyphSize;
error = Update_Max( loader->exec->memory,
&tmp,
sizeof ( FT_Byte ),
(void*)&loader->exec->glyphIns,
n_ins );
+
loader->exec->glyphSize = (FT_UShort)tmp;
if ( error )
return error;