Fix Savannah bug #39702. * src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset != 0'; this stronger test is mandated by the CFF specification. Fix test for INDEX structures which have one or more empty entries at the end.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
diff --git a/ChangeLog b/ChangeLog
index 3cfbcb1..e1d3a33 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2013-08-06 John Tytgat <John.Tytgat@esko.com>
+
+ Fix Savannah bug #39702.
+
+ * src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset
+ != 0'; this stronger test is mandated by the CFF specification.
+ Fix test for INDEX structures which have one or more empty entries
+ at the end.
+
2013-08-05 Werner Lemberg <wl@gnu.org>
Fix gcc pragmas, part 2.
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 64b4971..ff271f3 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -414,7 +414,7 @@
cur_offset = idx->offsets[0] - 1;
/* sanity check */
- if ( cur_offset >= idx->data_size )
+ if ( cur_offset != 0 )
{
FT_TRACE0(( "cff_index_get_pointers:"
" invalid first offset value %d set to zero\n",
@@ -432,11 +432,11 @@
FT_ULong next_offset = idx->offsets[n] - 1;
- /* empty slot + two sanity checks for invalid offset tables */
- if ( next_offset == 0 ||
- next_offset < cur_offset ||
- ( next_offset >= idx->data_size && n < idx->count ) )
+ /* two sanity checks for invalid offset tables */
+ if ( next_offset < cur_offset )
next_offset = cur_offset;
+ else if ( next_offset > idx->data_size )
+ next_offset = idx->data_size;
if ( !pool )
t[n] = org_bytes + next_offset;