From 16bd51c81929354a88a0ea0df04e08e5d8bffd04 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 21 Mar 2009 07:48:34 +0100 Subject: [PATCH] Fix Ghostscript Coverity issue #3904. * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against zero value of `runcnt'. --- ChangeLog | 7 +++++ src/truetype/ttgxvar.c | 58 ++++++++++++++++++++++++------------------ 2 files changed, 40 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index 69661c16c..ace7524c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2009-03-21 Werner Lemberg + + Fix Ghostscript Coverity issue #3904. + + * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against + zero value of `runcnt'. + 2009-03-20 Werner Lemberg Fix `make multi' run. diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index 515e734b8..e5888170a 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -4,7 +4,7 @@ /* */ /* TrueType GX Font Variation loader */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008 by */ +/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */ /* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -16,30 +16,31 @@ /***************************************************************************/ -/***************************************************************************/ -/* */ -/* Apple documents the `fvar', `gvar', `cvar', and `avar' tables at */ -/* */ -/* http://developer.apple.com/fonts/TTRefMan/RM06/Chap6[fgca]var.html */ -/* */ -/* The documentation for `fvar' is inconsistent. At one point it says */ -/* that `countSizePairs' should be 3, at another point 2. It should be 2. */ -/* */ -/* The documentation for `gvar' is not intelligible; `cvar' refers you to */ -/* `gvar' and is thus also incomprehensible. */ -/* */ -/* The documentation for `avar' appears correct, but Apple has no fonts */ -/* with an `avar' table, so it is hard to test. */ -/* */ -/* Many thanks to John Jenkins (at Apple) in figuring this out. */ -/* */ -/* */ -/* Apple's `kern' table has some references to tuple indices, but as there */ -/* is no indication where these indices are defined, nor how to */ -/* interpolate the kerning values (different tuples have different */ -/* classes) this issue is ignored. */ -/* */ -/***************************************************************************/ + /*************************************************************************/ + /* */ + /* Apple documents the `fvar', `gvar', `cvar', and `avar' tables at */ + /* */ + /* http://developer.apple.com/fonts/TTRefMan/RM06/Chap6[fgca]var.html */ + /* */ + /* The documentation for `fvar' is inconsistent. At one point it says */ + /* that `countSizePairs' should be 3, at another point 2. It should */ + /* be 2. */ + /* */ + /* The documentation for `gvar' is not intelligible; `cvar' refers you */ + /* to `gvar' and is thus also incomprehensible. */ + /* */ + /* The documentation for `avar' appears correct, but Apple has no fonts */ + /* with an `avar' table, so it is hard to test. */ + /* */ + /* Many thanks to John Jenkins (at Apple) in figuring this out. */ + /* */ + /* */ + /* Apple's `kern' table has some references to tuple indices, but as */ + /* there is no indication where these indices are defined, nor how to */ + /* interpolate the kerning values (different tuples have different */ + /* classes) this issue is ignored. */ + /* */ + /*************************************************************************/ #include @@ -158,6 +159,9 @@ runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK; first = points[i++] = FT_GET_USHORT(); + if ( !runcnt ) + goto Exit; + /* first point not included in runcount */ for ( j = 0; j < runcnt; ++j ) points[i++] = (FT_UShort)( first += FT_GET_USHORT() ); @@ -166,11 +170,15 @@ { first = points[i++] = FT_GET_BYTE(); + if ( !runcnt ) + goto Exit; + for ( j = 0; j < runcnt; ++j ) points[i++] = (FT_UShort)( first += FT_GET_BYTE() ); } } + Exit: return points; }