Commit 64872a50165d842d72c520f5f7e19124dbf7822d

Werner Lemberg 2013-12-02T07:51:17

[truetype] Fix change from 2013-11-20. Problem reported by Akira Kakuto <kakuto@fuk.kindai.ac.jp>. * src/truetype/ttgload.c (TT_Load_Simple_Glyph): Protect call to `Update_Max' with both a TT_USE_BYTECODE_INTERPRETER guard and a `IS_HINTED' clause. Also remove redundant check using `maxSizeOfInstructions' – in simple glyphs, the bytecode data comes before the outline data, and a validity test for this is already present.

diff --git a/ChangeLog b/ChangeLog
index 196bd76..ca4699f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2013-12-02  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix change from 2013-11-20.
+
+	Problem reported by Akira Kakuto <kakuto@fuk.kindai.ac.jp>.
+
+	* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Protect call to
+	`Update_Max' with both a TT_USE_BYTECODE_INTERPRETER guard and a
+	`IS_HINTED' clause.
+	Also remove redundant check using `maxSizeOfInstructions' – in
+	simple glyphs, the bytecode data comes before the outline data, and
+	a validity test for this is already present.
+
 2013-11-27  Werner Lemberg  <wl@gnu.org>
 
 	[autofit] Fix use of dumping functions in `ftgrid' demo program.
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index cc62f93..d459ec1 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -348,8 +348,7 @@
     FT_GlyphLoader  gloader    = load->gloader;
     FT_Int          n_contours = load->n_contours;
     FT_Outline*     outline;
-    TT_Face         face       = (TT_Face)load->face;
-    FT_UShort       n_ins, max_ins;
+    FT_UShort       n_ins;
     FT_Int          n_points;
     FT_ULong        tmp;
 
@@ -418,30 +417,6 @@
     FT_TRACE5(( "  Instructions size: %u\n", n_ins ));
 
     /* check it */
-    max_ins = face->max_profile.maxSizeOfInstructions;
-    if ( n_ins > max_ins )
-    {
-      /* don't trust `maxSizeOfInstructions'; */
-      /* only do a rough safety check         */
-      if ( (FT_Int)n_ins > load->byte_len )
-      {
-        FT_TRACE1(( "TT_Load_Simple_Glyph:"
-                    " too many instructions (%d) for glyph with length %d\n",
-                    n_ins, load->byte_len ));
-        return FT_THROW( Too_Many_Hints );
-      }
-
-      tmp = load->exec->glyphSize;
-      error = Update_Max( load->exec->memory,
-                          &tmp,
-                          sizeof ( FT_Byte ),
-                          (void*)&load->exec->glyphIns,
-                          n_ins );
-      load->exec->glyphSize = (FT_UShort)tmp;
-      if ( error )
-        return error;
-    }
-
     if ( ( limit - p ) < n_ins )
     {
       FT_TRACE0(( "TT_Load_Simple_Glyph: instruction count mismatch\n" ));
@@ -453,6 +428,20 @@
 
     if ( IS_HINTED( load->load_flags ) )
     {
+      /* we don't trust `maxSizeOfInstructions' in the `maxp' table */
+      /* and thus update the bytecode array size by ourselves       */
+
+      tmp   = load->exec->glyphSize;
+      error = Update_Max( load->exec->memory,
+                          &tmp,
+                          sizeof ( FT_Byte ),
+                          (void*)&load->exec->glyphIns,
+                          n_ins );
+
+      load->exec->glyphSize = (FT_UShort)tmp;
+      if ( error )
+        return error;
+
       load->glyph->control_len  = n_ins;
       load->glyph->control_data = load->exec->glyphIns;
 
@@ -1244,12 +1233,13 @@
           return FT_THROW( Too_Many_Hints );
         }
 
-        tmp = loader->exec->glyphSize;
+        tmp   = loader->exec->glyphSize;
         error = Update_Max( loader->exec->memory,
                             &tmp,
                             sizeof ( FT_Byte ),
                             (void*)&loader->exec->glyphIns,
                             n_ins );
+
         loader->exec->glyphSize = (FT_UShort)tmp;
         if ( error )
           return error;