Commit 685dd4f7b8e6437093424a1931f4b1cb72f8c900
2004-10-13T05:15:44
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer overflow. * src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input. Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work in case of failure. * src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals. (tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after frame test. * src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for `flag'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
diff --git a/ChangeLog b/ChangeLog
index dd0ce57..9a8a7ea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2004-10-11 Joshua Neal <jneal@csdaily.com>
+
+ * src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer
+ overflow.
+
+ * src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input.
+ Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work
+ in case of failure.
+
+ * src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals.
+ (tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after
+ frame test.
+
+ * src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for
+ `flag'.
+
2004-10-09 Werner Lemberg <wl@gnu.org>
* docs/CHANGES: Updated.
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 71f216c..bc851ee 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1935,7 +1935,9 @@
charmap.encoding = FT_ENCODING_NONE; /* will be filled later */
offset = TT_NEXT_ULONG( p );
- if ( offset && table + offset + 2 < limit )
+ if ( offset &&
+ table + offset + 2 < limit &&
+ table + offset >= table )
{
FT_Byte* cmap = table + offset;
volatile FT_UInt format = TT_PEEK_USHORT( cmap );
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index fa5c6a7..1a3dcb6 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -1842,16 +1842,21 @@
FT_FRAME_EXIT();
+ if ( record_size < 0 || num_records < 0 )
+ return SFNT_Err_Invalid_File_Format;
+
/* Only recognize format 0 */
if ( hdmx->version != 0 )
goto Exit;
- if ( FT_QNEW_ARRAY( hdmx->records, num_records ) )
+ /* we can't use FT_QNEW_ARRAY here; otherwise tt_face_free_hdmx */
+ /* could fail during deallocation */
+ if ( FT_NEW_ARRAY( hdmx->records, num_records ) )
goto Exit;
hdmx->num_records = num_records;
- num_glyphs = face->root.num_glyphs;
- record_size -= num_glyphs + 2;
+ num_glyphs = face->root.num_glyphs;
+ record_size -= num_glyphs + 2;
{
TT_HdmxEntry cur = hdmx->records;
@@ -1871,7 +1876,7 @@
/* skip padding bytes */
if ( record_size > 0 && FT_STREAM_SKIP( record_size ) )
- goto Exit;
+ goto Exit;
}
}
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index 444c27a..cff40e5 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -334,6 +334,13 @@
FT_Bool large = FT_BOOL( range->index_format == 1 );
+
+ if ( range->last_glyph < range->first_glyph )
+ {
+ error = SFNT_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
num_glyphs = range->last_glyph - range->first_glyph + 1L;
range->num_glyphs = num_glyphs;
num_glyphs++; /* XXX: BEWARE - see spec */
@@ -519,14 +526,14 @@
FT_ULong count2 = strike->num_ranges;
- if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
- goto Exit;
-
/* read each range */
if ( FT_STREAM_SEEK( table_base + strike->ranges_offset ) ||
FT_FRAME_ENTER( strike->num_ranges * 8L ) )
goto Exit;
+ if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
+ goto Exit;
+
range = strike->sbit_ranges;
while ( count2 > 0 )
{
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 0c3ee44..572de84 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -426,6 +426,8 @@
flag = (FT_Byte*)outline->tags;
flag_limit = flag + n_points;
+ FT_ASSERT( flag != NULL );
+
while ( flag < flag_limit )
{
if ( --byte_len < 0 )