Commit 6da023d1ff9b70f78c900774cc5d362af53ad92c
2010-05-20T15:38:00
TrueType: Make FreeType ignore maxSizeOfInstructions in `maxp'. Acroread does the same. * src/truetype/ttgload.c (TT_Process_Composite_Glyph): Call `Update_Max' to adjust size of instructions array if necessary and add a rough safety check. (load_truetype_glyph): Save `loader->byte_len' before recursive call. * src/truetype/ttinterp.h, src/truetype/ttinterp.c (Update_Max): Declare it as FT_LOCAL.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141
diff --git a/ChangeLog b/ChangeLog
index 7bb5fc1..5887202 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2010-05-20 Werner Lemberg <wl@gnu.org>
+
+ TrueType: Make FreeType ignore maxSizeOfInstructions in `maxp'.
+
+ Acroread does the same.
+
+ * src/truetype/ttgload.c (TT_Process_Composite_Glyph): Call
+ `Update_Max' to adjust size of instructions array if necessary and
+ add a rough safety check.
+
+ (load_truetype_glyph): Save `loader->byte_len' before recursive
+ call.
+
+ * src/truetype/ttinterp.h, src/truetype/ttinterp.c (Update_Max):
+ Declare it as FT_LOCAL.
+
2010-05-18 Hongbo Ni <hongbo@njstar.com>
Apply patch #7196.
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index ad416f0..2fc031b 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1141,7 +1141,8 @@
{
FT_Stream stream = loader->stream;
- FT_UShort n_ins;
+ FT_UShort n_ins, max_ins;
+ FT_ULong tmp;
/* TT_Load_Composite_Glyph only gives us the offset of instructions */
@@ -1153,12 +1154,27 @@
FT_TRACE5(( " Instructions size = %d\n", n_ins ));
/* check it */
- if ( n_ins > ((TT_Face)loader->face)->max_profile.maxSizeOfInstructions )
+ max_ins = ((TT_Face)loader->face)->max_profile.maxSizeOfInstructions;
+ if ( n_ins > max_ins )
{
- FT_TRACE0(( "TT_Process_Composite_Glyph: too many instructions (%d)\n",
- n_ins ));
+ /* acroread ignores this field, so we only do a rough safety check */
+ if ( (FT_Int)n_ins > loader->byte_len )
+ {
+ FT_TRACE1(( "TT_Process_Composite_Glyph: "
+ "too many instructions (%d) for glyph with length (%d)\n",
+ n_ins, loader->byte_len ));
+ return TT_Err_Too_Many_Hints;
+ }
- return TT_Err_Too_Many_Hints;
+ tmp = loader->exec->glyphSize;
+ error = Update_Max( loader->exec->memory,
+ &tmp,
+ sizeof ( FT_Byte ),
+ (void*)&loader->exec->glyphIns,
+ n_ins );
+ loader->exec->glyphSize = (FT_UShort)tmp;
+ if ( error )
+ return error;
}
else if ( n_ins == 0 )
return TT_Err_Ok;
@@ -1516,6 +1532,7 @@
FT_UInt num_base_subgs = gloader->base.num_subglyphs;
FT_Stream old_stream = loader->stream;
+ FT_Int old_byte_len = loader->byte_len;
FT_GlyphLoader_Add( gloader );
@@ -1570,7 +1587,8 @@
num_base_points );
}
- loader->stream = old_stream;
+ loader->stream = old_stream;
+ loader->byte_len = old_byte_len;
/* process the glyph */
loader->ins_pos = ins_pos;
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 13aa9a2..18ff7c6 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4,8 +4,9 @@
/* */
/* TrueType bytecode interpreter (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
-/* David Turner, Robert Wilhelm, and Werner Lemberg. */
+/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */
+/* 2010 */
+/* by David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
/* modified, and distributed under the terms of the FreeType project */
@@ -508,7 +509,7 @@
/* <Return> */
/* FreeType error code. 0 means success. */
/* */
- static FT_Error
+ FT_LOCAL_DEF( FT_Error )
Update_Max( FT_Memory memory,
FT_ULong* size,
FT_Long multiplier,
diff --git a/src/truetype/ttinterp.h b/src/truetype/ttinterp.h
index 07a8972..732a1f2 100644
--- a/src/truetype/ttinterp.h
+++ b/src/truetype/ttinterp.h
@@ -4,7 +4,7 @@
/* */
/* TrueType bytecode interpreter (specification). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007 by */
+/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -239,6 +239,14 @@ FT_BEGIN_HEADER
FT_Int range );
+ FT_LOCAL( FT_Error )
+ Update_Max( FT_Memory memory,
+ FT_ULong* size,
+ FT_Long multiplier,
+ void* _pbuff,
+ FT_ULong new_max );
+
+
/*************************************************************************/
/* */
/* <Function> */