Commit e5c14d93b8a7524167516ce224c376fa0e414e64
2007-06-05T20:50:37
* src/psaux/psobjs.c (ps_tocoordarray, ps_tofixedarray): Return -1 in case of parsing error. (ps_parser_load_field): Updated. * src/type1/t1load.c (parse_font_matrix): Updated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157
diff --git a/ChangeLog b/ChangeLog
index 4e1e664..7069363 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,13 @@
* src/winfnt/winfnt.c (FNT_Face_Init): Check `family_size'.
+
+ * src/psaux/psobjs.c (ps_tocoordarray, ps_tofixedarray): Return -1
+ in case of parsing error.
+ (ps_parser_load_field): Updated.
+
+ * src/type1/t1load.c (parse_font_matrix): Updated.
+
2007-06-04 Werner Lemberg <wl@gnu.org>
* src/cid/cidgload.c (cid_load_glyph): Check `fd_select'.
diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
index ee7d2cc..8217fb9 100644
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -785,8 +785,7 @@
if ( c == '[' )
ender = ']';
-
- if ( c == '{' )
+ else if ( c == '{' )
ender = '}';
if ( ender )
@@ -795,7 +794,8 @@
/* now, read the coordinates */
while ( cur < limit )
{
- FT_Short dummy;
+ FT_Short dummy;
+ FT_Byte* old_cur;
/* skip whitespace in front of data */
@@ -812,11 +812,20 @@
break;
}
+ old_cur = cur;
+
/* call PS_Conv_ToFixed() even if coords == NULL */
/* to properly parse number at `cur' */
*( coords != NULL ? &coords[count] : &dummy ) =
(FT_Short)( PS_Conv_ToFixed( &cur, limit, 0 ) >> 16 );
- count++;
+
+ if ( old_cur == cur )
+ {
+ count = -1;
+ goto Exit;
+ }
+ else
+ count++;
if ( !ender )
break;
@@ -830,7 +839,7 @@
/* first character must be a delimiter or a part of a number */
/* NB: `values' can be NULL if we just want to skip the */
- /* array in this case we ignore `max_values' */
+ /* array; in this case we ignore `max_values' */
static FT_Int
ps_tofixedarray( FT_Byte* *acur,
@@ -854,8 +863,7 @@
if ( c == '[' )
ender = ']';
-
- if ( c == '{' )
+ else if ( c == '{' )
ender = '}';
if ( ender )
@@ -864,7 +872,8 @@
/* now, read the values */
while ( cur < limit )
{
- FT_Fixed dummy;
+ FT_Fixed dummy;
+ FT_Byte* old_cur;
/* skip whitespace in front of data */
@@ -881,11 +890,20 @@
break;
}
+ old_cur = cur;
+
/* call PS_Conv_ToFixed() even if coords == NULL */
/* to properly parse number at `cur' */
*( values != NULL ? &values[count] : &dummy ) =
PS_Conv_ToFixed( &cur, limit, power_ten );
- count++;
+
+ if ( old_cur == cur )
+ {
+ count = -1;
+ goto Exit;
+ }
+ else
+ count++;
if ( !ender )
break;
@@ -1161,9 +1179,18 @@
{
FT_Fixed temp[4];
FT_BBox* bbox = (FT_BBox*)q;
+ FT_Int result;
- (void)ps_tofixedarray( &token.start, token.limit, 4, temp, 0 );
+ result = ps_tofixedarray( &token.start, token.limit, 4, temp, 0 );
+
+ if ( result < 0 )
+ {
+ FT_ERROR(( "ps_parser_load_field: "
+ "expected four integers in bounding box\n" ));
+ error = PSaux_Err_Invalid_File_Format;
+ goto Exit;
+ }
bbox->xMin = FT_RoundFix( temp[0] );
bbox->yMin = FT_RoundFix( temp[1] );
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index c64f5f0..51b0b13 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1066,9 +1066,16 @@
FT_Face root = (FT_Face)&face->root;
FT_Fixed temp[6];
FT_Fixed temp_scale;
+ FT_Int result;
- (void)T1_ToFixedArray( parser, 6, temp, 3 );
+ result = T1_ToFixedArray( parser, 6, temp, 3 );
+
+ if ( result < 0 )
+ {
+ parser->root.error = T1_Err_Invalid_File_Format;
+ return;
+ }
temp_scale = FT_ABS( temp[3] );