Commit 9bcfab87581d7ed0cc4dd62bc24e701e5aff5725

John Tytgat 2013-08-06T08:55:19

Fix Savannah bug #39702. * src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset != 0'; this stronger test is mandated by the CFF specification. Fix test for INDEX structures which have one or more empty entries at the end.

diff --git a/ChangeLog b/ChangeLog
index 3cfbcb1..e1d3a33 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2013-08-06  John Tytgat  <John.Tytgat@esko.com>
+
+	Fix Savannah bug #39702.
+
+	* src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset
+	!= 0'; this stronger test is mandated by the CFF specification.
+	Fix test for INDEX structures which have one or more empty entries
+	at the end.
+
 2013-08-05  Werner Lemberg  <wl@gnu.org>
 
 	Fix gcc pragmas, part 2.
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 64b4971..ff271f3 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -414,7 +414,7 @@
       cur_offset = idx->offsets[0] - 1;
 
       /* sanity check */
-      if ( cur_offset >= idx->data_size )
+      if ( cur_offset != 0 )
       {
         FT_TRACE0(( "cff_index_get_pointers:"
                     " invalid first offset value %d set to zero\n",
@@ -432,11 +432,11 @@
         FT_ULong  next_offset = idx->offsets[n] - 1;
 
 
-        /* empty slot + two sanity checks for invalid offset tables */
-        if ( next_offset == 0                                    ||
-             next_offset < cur_offset                            ||
-             ( next_offset >= idx->data_size && n < idx->count ) )
+        /* two sanity checks for invalid offset tables */
+        if ( next_offset < cur_offset )
           next_offset = cur_offset;
+        else if ( next_offset > idx->data_size )
+          next_offset = idx->data_size;
 
         if ( !pool )
           t[n] = org_bytes + next_offset;