Fix handling of get' and put' CFF instructions.

* src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get,
cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of
elements for the `get' and `put' operators to 32.
* src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define.
(CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.
This commit is contained in:
Werner Lemberg 2009-10-19 21:09:13 +02:00
parent d90567b1e6
commit 2d15120cb5
3 changed files with 14 additions and 4 deletions

@ -1,3 +1,13 @@
2009-10-19 Ning Dong <flintning@163.com>
Fix handling of `get' and `put' CFF instructions.
* src/cff/cffgload.c (cff_decoder_parse_charstrings) <cff_op_get,
cff_op_put>: Appendix B of Adobe Technote #5177 limits the number of
elements for the `get' and `put' operators to 32.
* src/cff/cffgload.h (CFF_MAX_TRANS_ELEMENTS): Define.
(CFF_Decoder): Use it for `buildchar' and remove `len_buildchar'.
2009-10-18 Werner Lemberg <wl@gnu.org>
Fix handling of `dup' CFF instruction.

@ -2117,7 +2117,7 @@
FT_TRACE4(( " put\n" ));
if ( idx >= 0 && idx < decoder->len_buildchar )
if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
decoder->buildchar[idx] = val;
}
break;
@ -2130,7 +2130,7 @@
FT_TRACE4(( " get\n" ));
if ( idx >= 0 && idx < decoder->len_buildchar )
if ( idx >= 0 && idx < CFF_MAX_TRANS_ELEMENTS )
val = decoder->buildchar[idx];
args[0] = val;

@ -30,6 +30,7 @@ FT_BEGIN_HEADER
#define CFF_MAX_OPERANDS 48
#define CFF_MAX_SUBRS_CALLS 32
#define CFF_MAX_TRANS_ELEMENTS 32
/*************************************************************************/
@ -137,8 +138,7 @@ FT_BEGIN_HEADER
FT_Bool read_width;
FT_Bool width_only;
FT_Int num_hints;
FT_Fixed* buildchar;
FT_Int len_buildchar;
FT_Fixed buildchar[CFF_MAX_TRANS_ELEMENTS];
FT_UInt num_locals;
FT_UInt num_globals;