Commit f1631f2db054d8f49115fda1e254a479c4cdc9fe
2009-06-19T23:50:37
[cff] Fix handling of reserved byte 0xFF. * src/cff/cffgload.c (cff_decoder_parse_charstrings): Abort if byte 0xFF is encountered.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
diff --git a/ChangeLog b/ChangeLog
index df83e9a..61bd614 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2009-06-19 Werner Lemberg <wl@gnu.org>
+ [cff] Fix handling of reserved byte 0xFF.
+
+ * src/cff/cffgload.c (cff_decoder_parse_charstrings): Abort if byte
+ 0xFF is encountered.
+
+2009-06-19 Werner Lemberg <wl@gnu.org>
+
Improve debug messages for Type1 charstrings.
* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Emit newlines
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 03956ca..6cb26a4 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -938,17 +938,9 @@
goto Syntax_Error;
val = -( (FT_Long)v - 251 ) * 256 - *ip++ - 108;
}
- else
- {
- if ( ip + 3 >= limit )
- goto Syntax_Error;
- val = ( (FT_Int32)ip[0] << 24 ) |
- ( (FT_Int32)ip[1] << 16 ) |
- ( (FT_Int32)ip[2] << 8 ) |
- ip[3];
- ip += 4;
- shift = 0;
- }
+ else /* 255 */
+ goto Syntax_Error;
+
if ( decoder->top - stack >= CFF_MAX_OPERANDS )
goto Stack_Overflow;