kc3-lang/freetype

Browse

Commit c13e75fb1b7f778b58bc2bc185e10a03f3cff001

David Turner 2006-02-27T13:14:42

* src/base/ftutil.c: ft_mem_alloc and related functions now return an error if a negative size is passed in parameters. * src/cache/ftccache.c: make ftc_node_destroy FT_BASE_DEF, it needs to be exported for rogue clients * src/pshinter/pshglob.c: prevent problems with malformed fonts which have an odd number of blue values (these are broken according to the specs). * src/cff/cffload.c, src/type1/t1load.c: modify the loaders to force even-ness of 'num_blue_values'. Also change the CFF loader so that invalid entries in index files are ignored. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255

diff --git a/ChangeLog b/ChangeLog
index abf7c38..a6dc576 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2006-02-27  David Turner  <david@freetype.org>
+
+    * src/base/ftutil.c: ft_mem_alloc and related functions now return an
+    error if a negative size is passed in parameters.
+
+    * src/cache/ftccache.c: make ftc_node_destroy FT_BASE_DEF, it needs to
+    be exported for rogue clients
+    
+    * src/pshinter/pshglob.c: prevent problems with malformed fonts which
+    have an odd number of blue values (these are broken according to the
+    specs).
+
+    * src/cff/cffload.c, src/type1/t1load.c: modify the loaders to force
+    even-ness of 'num_blue_values'. Also change the CFF loader so that
+    invalid entries in index files are ignored.
+
 2006-02-27  Chia-I Wu  <b90201047@ntu.edu.tw>
 
 	* src/base/ftobjs.c (FT_Set_Char_Size): Ahh.. forgot to check the case
diff --git a/src/base/ftutil.c b/src/base/ftutil.c
index 31d3a1c..ddddd34 100644
--- a/src/base/ftutil.c
+++ b/src/base/ftutil.c
@@ -66,6 +66,11 @@
       else
         FT_MEM_ZERO( block, size );
     }
+    else if ( size < 0 )
+    {
+      /* may help catch/prevent nasty security issues */
+      error = FT_Err_Invalid_Argument;
+    }
 
     *p_error = error;
     return block;
@@ -87,6 +92,11 @@
       if ( block == NULL )
         error = FT_Err_Out_Of_Memory;
     }
+    else
+    {
+      /* may help catch/prevent security issues */
+      error = FT_Err_Invalid_Argument;
+    }
 
     *p_error = error;
     return block;
@@ -103,12 +113,16 @@
     FT_Error  error = FT_Err_Ok;
 
 
-    if ( size <= 0 )
+    if ( size < 0 || current < 0 )
+    {
+      error = FT_Err_Invalid_Argument;
+    }  
+    else if ( size == 0 )
     {
       ft_mem_free( memory, block );
       block = NULL;
     }
-    else if ( current <= 0 )
+    else if ( current == 0 )
     {
       FT_ASSERT( block == NULL );
 
@@ -145,12 +159,16 @@
     FT_Error  error = FT_Err_Ok;
 
 
-    if ( size <= 0 )
+    if ( size < 0 || current < 0 )
+    {
+      error = FT_Err_Invalid_Argument;
+    }
+    else if ( size == 0 )
     {
       ft_mem_free( memory, block );
       block = NULL;
     }
-    else if ( current <= 0 )
+    else if ( current == 0 )
     {
       FT_ASSERT( block == NULL );
 
@@ -190,7 +208,9 @@
   ft_mem_alloc( FT_Memory  memory,
                 FT_Long    size,
                 void*     *P )
-  {
+  { 
+    FT_Error  error = FT_Err_Ok;
+    
     FT_ASSERT( P != 0 );
 
     if ( size > 0 )
@@ -207,13 +227,17 @@
       FT_MEM_ZERO( *P, size );
     }
     else
+    {
       *P = NULL;
+      if ( size < 0 )
+        error = FT_Err_Invalid_Argument;
+    }
 
     FT_TRACE7(( "ft_mem_alloc:" ));
     FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
                 size, *P, P ));
 
-    return FT_Err_Ok;
+    return error;
   }
 
 
@@ -224,6 +248,8 @@
                  FT_Long    size,
                  void*     *P )
   {
+    FT_Error  error = FT_Err_Ok;
+    
     FT_ASSERT( P != 0 );
 
     if ( size > 0 )
@@ -239,13 +265,17 @@
       }
     }
     else
+    {
       *P = NULL;
+      if ( size < 0 )
+        error = FT_Err_Invalid_Argument;
+    }
 
     FT_TRACE7(( "ft_mem_qalloc:" ));
     FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
                 size, *P, P ));
 
-    return FT_Err_Ok;
+    return error;
   }
 
 
@@ -267,12 +297,15 @@
       return ft_mem_alloc( memory, size, P );
 
     /* if the new block if zero-sized, clear the current one */
-    if ( size <= 0 )
+    if ( size == 0 )
     {
       ft_mem_free( memory, P );
       return FT_Err_Ok;
     }
 
+    if ( size < 0 || current < 0 )
+      return FT_Err_Invalid_Argument;
+
     Q = memory->realloc( memory, current, size, *P );
     if ( !Q )
       goto Fail;
@@ -309,12 +342,15 @@
       return ft_mem_qalloc( memory, size, P );
 
     /* if the new block if zero-sized, clear the current one */
-    if ( size <= 0 )
+    if ( size == 0 )
     {
       ft_mem_free( memory, P );
       return FT_Err_Ok;
     }
 
+    if ( size < 0 || current < 0 )
+      return FT_Err_Invalid_Argument;
+
     Q = memory->realloc( memory, current, size, *P );
     if ( !Q )
       goto Fail;
diff --git a/src/cache/ftccache.c b/src/cache/ftccache.c
index 22ec06c..fd756fa 100644
--- a/src/cache/ftccache.c
+++ b/src/cache/ftccache.c
@@ -256,7 +256,8 @@
 
 
   /* remove a node from the cache manager */
-  FT_LOCAL_DEF( void )
+  /* this function is FT_BASE since it may be called by old rogue clients */
+  FT_BASE_DEF( void )
   ftc_node_destroy( FTC_Node     node,
                     FTC_Manager  manager )
   {
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 6d73e98..e576c3c 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -1235,7 +1235,7 @@
       }
 
       /* access element */
-      if ( off1 )
+      if ( off1 && off2 > off1 )
       {
         *pbyte_len = off2 - off1;
 
@@ -2011,7 +2011,7 @@
 
     if ( error )
       goto Exit;
-
+ 
     /* if it is a CID font, we stop there */
     if ( top->cid_registry != 0xFFFFU )
       goto Exit;
@@ -2040,6 +2040,9 @@
       FT_FRAME_EXIT();
       if ( error )
         goto Exit;
+
+      /* ensure that 'num_blue_values' is even */
+      priv->num_blue_values &= ~1;
     }
 
     /* read the local subrs, if any */
diff --git a/src/pshinter/pshglob.c b/src/pshinter/pshglob.c
index 21d45e9..c02dc0b 100644
--- a/src/pshinter/pshglob.c
+++ b/src/pshinter/pshglob.c
@@ -150,7 +150,7 @@
     FT_UNUSED( target );
 
 
-    for ( ; read_count > 0; read_count -= 2 )
+    for ( ; read_count > 1; read_count -= 2 )
     {
       FT_Int         reference, delta;
       FT_UInt        count;
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 75c0e95..66c89a6 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1989,6 +1989,9 @@
                         keyword_flags );
     if ( error )
       goto Exit;
+ 
+    /* ensure even-ness of 'num_blue_values' */
+    priv->num_blue_values &= ~1;
 
 #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT
kmx.io     mail     discord kmxgit v0.4.0