kc3-lang/freetype

Browse

Commit eee4ff8d5aff07a073d6b5721a00eb0eb7715c5e

Werner Lemberg 2014-02-26T18:12:36

[winfnt] Fix Savannah bug #41694. * src/winfonts/winfnt.c (FNT_Load_Glyph): Check glyph offset. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

diff --git a/ChangeLog b/ChangeLog
index fb0d6b2..f23507a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,16 @@
-2014-02-26  Wermer Lemberg  <wl@gnu.org>
+2014-02-26  Werner Lemberg  <wl@gnu.org>
+
+	[winfnt] Fix Savannah bug #41694.
+
+	* src/winfonts/winfnt.c (FNT_Load_Glyph): Check glyph offset.
+
+2014-02-26  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Fix Savannah bug #41693.
 
 	* src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
 
-2014-02-26  Wermer Lemberg  <wl@gnu.org>
+2014-02-26  Werner Lemberg  <wl@gnu.org>
 
 	[bdf] Fix Savannah bug #41692.
 
diff --git a/src/winfonts/winfnt.c b/src/winfonts/winfnt.c
index fd6fc55..e9c1a9b 100644
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    FreeType font driver for Windows FNT/FON files                       */
 /*                                                                         */
-/*  Copyright 1996-2004, 2006-2013 by                                      */
+/*  Copyright 1996-2004, 2006-2014 by                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*  Copyright 2003 Huw D M Davies for Codeweavers                          */
 /*  Copyright 2007 Dmitry Timoshkov for Codeweavers                        */
@@ -977,7 +977,7 @@
 
     font = face->font;
 
-    if ( !font ||
+    if ( !font                                                   ||
          glyph_index >= (FT_UInt)( FT_FACE( face )->num_glyphs ) )
     {
       error = FT_THROW( Invalid_Argument );
@@ -989,16 +989,26 @@
     if ( glyph_index > 0 )
       glyph_index--;                           /* revert to real index */
     else
-      glyph_index = font->header.default_char; /* the .notdef glyph */
+      glyph_index = font->header.default_char; /* the `.notdef' glyph  */
 
     new_format = FT_BOOL( font->header.version == 0x300 );
     len        = new_format ? 6 : 4;
 
-    /* jump to glyph entry */
-    p = font->fnt_frame + ( new_format ? 148 : 118 ) + len * glyph_index;
+    /* get glyph width and offset */
+    offset = ( new_format ? 148 : 118 ) + len * glyph_index;
+
+    if ( offset >= font->header.file_size - 2 - ( new_format ? 4 : 2 ) )
+    {
+      FT_TRACE2(( "invalid FNT offset\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
+    p = font->fnt_frame + offset;
 
     bitmap->width = FT_NEXT_SHORT_LE( p );
 
+    /* jump to glyph entry */
     if ( new_format )
       offset = FT_NEXT_ULONG_LE( p );
     else
kmx.io     mail     discord kmxgit v0.4.0