kc3-lang/freetype

Browse

Commit c2dabdeed05c1517bf1020ba6b2aa2d9b1c75470

Werner Lemberg 2010-07-02T01:27:49

Merge branch 'master' of git.sv.gnu.org:/srv/git/freetype/freetype2 Conflicts: ChangeLog 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

diff --git a/ChangeLog b/ChangeLog
index ac58422..4073342 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,24 @@
 	threshold values for `width' and `height'.  This is not directly
 	related to the bug fix but makes sense anyway.
 
+2010-07-01  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Initial fix for Savannah bug #30306.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
+	the length of fragment declared in the POST fragment header
+	and prevent an underflow in length calculation. Some fonts
+	set the length to zero in spite of the exist of following
+	16bit `type'. Reported by Robert Swiecki.
+
+2010-07-01  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Additional fix for Savannah bug #30248 and #30249.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
+	size during gathering PFB fragments embedded in LaserWriter PS
+	font for Macintosh. Reported by Robert Swiecki.
+
 2010-06-30  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	Minor optimizations by avoiding divisions.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 32d4417..7c2662f 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1547,11 +1547,22 @@
         goto Exit;
       if ( FT_READ_USHORT( flags ) )
         goto Exit;
-      rlen -= 2;                    /* the flags are part of the resource */
+      FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+                   i, offsets[i], rlen, flags ));
+
+      /* the flags are part of the resource, so rlen >= 2.  */
+      /* but some fonts declare rlen = 0 for empty fragment */
+      if ( rlen > 2 )
+        rlen -= 2;
+      else
+        rlen = 0;
+
       if ( ( flags >> 8 ) == type )
         len += rlen;
       else
       {
+        if ( pfb_lenpos + 3 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
         pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
         pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1560,6 +1571,8 @@
         if ( ( flags >> 8 ) == 5 )      /* End of font mark */
           break;
 
+        if ( pfb_pos + 6 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_pos++] = 0x80;
 
         type = flags >> 8;
@@ -1579,9 +1592,13 @@
       pfb_pos += rlen;
     }
 
+    if ( pfb_pos + 2 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_pos++] = 0x80;
     pfb_data[pfb_pos++] = 3;
 
+    if ( pfb_lenpos + 3 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
     pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
     pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
kmx.io     mail     discord kmxgit v0.4.0