Commit 9c98fbf634a83c6ea286395f0e788956eafd5aeb
2011-10-01T09:25:55
Handle some border cases. * include/freetype/config/ftstdlib.h (FT_USHORT_MAX): New macro. * src/base/ftbitmap.c (FT_Bitmap_Convert): Protect against invalid value of `target->rows'. * src/psaux/t1decode.c (t1_decoder_parse_charstrings): Add check for flex start. * src/raster/ftrend1.c (ft_raster1_render): Check `width' and `height'. * src/truetype/ttgxvar.c (TT_Vary_Get_Glyph_Deltas): Protect against invalid values in `localpoints' array.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149
diff --git a/ChangeLog b/ChangeLog
index 8b8b6c2..cfc74cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,21 @@
+2011-10-01 Braden Thomas <bthomas@apple.com>
+
+ Handle some border cases.
+
+ * include/freetype/config/ftstdlib.h (FT_USHORT_MAX): New macro.
+
+ * src/base/ftbitmap.c (FT_Bitmap_Convert): Protect against invalid
+ value of `target->rows'.
+
+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings): Add check for
+ flex start.
+
+ * src/raster/ftrend1.c (ft_raster1_render): Check `width' and
+ `height'.
+
+ * src/truetype/ttgxvar.c (TT_Vary_Get_Glyph_Deltas): Protect against
+ invalid values in `localpoints' array.
+
2011-10-01 Werner Lemberg <wl@gnu.org>
[psnames] Handle zapfdingbats.
diff --git a/include/freetype/config/ftstdlib.h b/include/freetype/config/ftstdlib.h
index 30ec14e..11d5d0e 100644
--- a/include/freetype/config/ftstdlib.h
+++ b/include/freetype/config/ftstdlib.h
@@ -5,7 +5,7 @@
/* ANSI-specific library and header configuration file (specification */
/* only). */
/* */
-/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2009 by */
+/* Copyright 2002-2007, 2009, 2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -59,11 +59,12 @@
#include <limits.h>
-#define FT_CHAR_BIT CHAR_BIT
-#define FT_INT_MAX INT_MAX
-#define FT_INT_MIN INT_MIN
-#define FT_UINT_MAX UINT_MAX
-#define FT_ULONG_MAX ULONG_MAX
+#define FT_CHAR_BIT CHAR_BIT
+#define FT_USHORT_MAX USHRT_MAX
+#define FT_INT_MAX INT_MAX
+#define FT_INT_MIN INT_MIN
+#define FT_UINT_MAX UINT_MAX
+#define FT_ULONG_MAX ULONG_MAX
/**********************************************************************/
diff --git a/src/base/ftbitmap.c b/src/base/ftbitmap.c
index 22ec337..5ef7ac7 100644
--- a/src/base/ftbitmap.c
+++ b/src/base/ftbitmap.c
@@ -4,7 +4,7 @@
/* */
/* FreeType utility functions for bitmaps (body). */
/* */
-/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */
+/* Copyright 2004-2009, 2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -417,6 +417,10 @@
target->pitch = source->width + pad;
+ if ( target->pitch > 0 &&
+ target->rows > FT_ULONG_MAX / target->pitch )
+ return FT_Err_Invalid_Argument;
+
if ( target->rows * target->pitch > old_size &&
FT_QREALLOC( target->buffer,
old_size, target->rows * target->pitch ) )
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index 90874f0..b3ccbdd 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -764,6 +764,13 @@
if ( arg_cnt != 0 )
goto Unexpected_OtherSubr;
+ if ( decoder->flex_state == 0 )
+ {
+ FT_ERROR(( "t1_decoder_parse_charstrings:"
+ " missing flex start\n" ));
+ goto Syntax_Error;
+ }
+
/* note that we should not add a point for index 0; */
/* this will move our current position to the flex */
/* point without adding any point to the outline */
diff --git a/src/raster/ftrend1.c b/src/raster/ftrend1.c
index d8a89f2..28b1b58 100644
--- a/src/raster/ftrend1.c
+++ b/src/raster/ftrend1.c
@@ -4,7 +4,7 @@
/* */
/* The FreeType glyph rasterizer interface (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2005, 2006 by */
+/* Copyright 1996-2003, 2005, 2006, 2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -176,6 +176,13 @@
width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+
+ if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX )
+ {
+ error = Raster_Err_Invalid_Argument;
+ goto Exit;
+ }
+
bitmap = &slot->bitmap;
memory = render->root.memory;
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 37bbe6d..69b702f 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -4,7 +4,7 @@
/* */
/* TrueType GX Font Variation loader */
/* */
-/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
+/* Copyright 2004-2011 by */
/* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -1474,6 +1474,9 @@
{
for ( j = 0; j < point_count; ++j )
{
+ if ( localpoints[j] >= n_points )
+ continue;
+
delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply );
delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply );
}