kc3-lang/freetype

Browse

Commit 7d3d2cc4fef72c6be9c454b3809c387e12b44cfc

Werner Lemberg 2010-06-09T09:14:09

Fix Savannah bug #30082. * src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_callothersubr>: Protect against stack underflow. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

diff --git a/ChangeLog b/ChangeLog
index df72e09..183237f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,15 @@
+2010-06-09  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #30082.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings)
+	<cff_op_callothersubr>: Protect against stack underflow.
+
 2010-06-08  Werner Lemberg  <wl@gnu.org>
 
 	Fix Savannah bug #30053.
 
-	* src/cff/cffparse (cff_parse_real): Handle border case where
+	* src/cff/cffparse.c (cff_parse_real): Handle border case where
 	`fraction_length' has value 10.
 
 2010-06-07  Werner Lemberg  <wl@gnu.org>
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 9e4dfc5..58af356 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -2275,6 +2275,8 @@
           /* this is the implementation described for `unknown' other  */
           /* subroutines in the Type1 spec.                            */
           args -= 2 + ( args[-2] >> 16 );
+          if ( args < stack )
+            goto Stack_Underflow;
           break;
 
         case cff_op_pop:
diff --git a/src/smooth/ftgrays.c b/src/smooth/ftgrays.c
index 846e454..cef8188 100644
--- a/src/smooth/ftgrays.c
+++ b/src/smooth/ftgrays.c
@@ -1007,45 +1007,40 @@
                               const FT_Vector*  control2,
                               const FT_Vector*  to )
   {
-    TPos        dx, dy, da, db;
+    TPos        dx, dy;
+    TPos        mid_x, mid_y;
     int         top, level;
     int*        levels;
     FT_Vector*  arc;
 
 
-    dx = DOWNSCALE( ras.x ) + to->x - ( control1->x << 1 );
-    if ( dx < 0 )
-      dx = -dx;
-    dy = DOWNSCALE( ras.y ) + to->y - ( control1->y << 1 );
-    if ( dy < 0 )
-      dy = -dy;
-    if ( dx < dy )
-      dx = dy;
-    da = dx;
+    /* Calculate midpoint and compare it with start and end. */
+    mid_x = ( DOWNSCALE( ras.x ) + to->x +
+              3 * ( control1->x + control2->x ) ) / 8;
+    mid_y = ( DOWNSCALE( ras.y ) + to->y +
+              3 * ( control1->y + control2->y ) ) / 8;
 
-    dx = DOWNSCALE( ras.x ) + to->x - 3 * ( control1->x + control2->x );
+    dx = DOWNSCALE( ras.x ) + to->x - ( mid_x << 1 );
     if ( dx < 0 )
       dx = -dx;
-    dy = DOWNSCALE( ras.y ) + to->y - 3 * ( control1->x + control2->y );
+    dy = DOWNSCALE( ras.y ) + to->y - ( mid_y << 1 );
     if ( dy < 0 )
       dy = -dy;
     if ( dx < dy )
       dx = dy;
-    db = dx;
 
+    /* Check whether an approximation with straight lines is sufficient. */
     level = 1;
-    da    = da / ras.cubic_level;
-    db    = db / ras.conic_level;
-    while ( da > 0 || db > 0 )
+    dx    = dx / ras.conic_level;
+    while ( dx > 0 )
     {
-      da >>= 2;
-      db >>= 3;
+      dx >>= 3;
       level++;
     }
 
     if ( level <= 1 )
     {
-      TPos   to_x, to_y, mid_x, mid_y;
+      TPos   to_x, to_y;
 
 
       to_x  = UPSCALE( to->x );
@@ -1104,7 +1099,7 @@
 
     Draw:
       {
-        TPos  to_x, to_y, mid_x, mid_y;
+        TPos  to_x, to_y;
 
 
         to_x  = arc[0].x;
kmx.io     mail     discord kmxgit v0.4.0