From 685dd4f7b8e6437093424a1931f4b1cb72f8c900 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Wed, 13 Oct 2004 05:15:44 +0000 Subject: [PATCH] * src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer overflow. * src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input. Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work in case of failure. * src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals. (tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after frame test. * src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for `flag'. --- ChangeLog | 16 ++++++++++++++++ src/sfnt/ttcmap.c | 4 +++- src/sfnt/ttload.c | 13 +++++++++---- src/sfnt/ttsbit.c | 13 ++++++++++--- src/truetype/ttgload.c | 2 ++ 5 files changed, 40 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index dd0ce57d9..9a8a7eac2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2004-10-11 Joshua Neal + + * src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer + overflow. + + * src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input. + Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work + in case of failure. + + * src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals. + (tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after + frame test. + + * src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for + `flag'. + 2004-10-09 Werner Lemberg * docs/CHANGES: Updated. diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 71f216c12..bc851ee48 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -1935,7 +1935,9 @@ charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ offset = TT_NEXT_ULONG( p ); - if ( offset && table + offset + 2 < limit ) + if ( offset && + table + offset + 2 < limit && + table + offset >= table ) { FT_Byte* cmap = table + offset; volatile FT_UInt format = TT_PEEK_USHORT( cmap ); diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index fa5c6a71a..1a3dcb6d2 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -1842,16 +1842,21 @@ FT_FRAME_EXIT(); + if ( record_size < 0 || num_records < 0 ) + return SFNT_Err_Invalid_File_Format; + /* Only recognize format 0 */ if ( hdmx->version != 0 ) goto Exit; - if ( FT_QNEW_ARRAY( hdmx->records, num_records ) ) + /* we can't use FT_QNEW_ARRAY here; otherwise tt_face_free_hdmx */ + /* could fail during deallocation */ + if ( FT_NEW_ARRAY( hdmx->records, num_records ) ) goto Exit; hdmx->num_records = num_records; - num_glyphs = face->root.num_glyphs; - record_size -= num_glyphs + 2; + num_glyphs = face->root.num_glyphs; + record_size -= num_glyphs + 2; { TT_HdmxEntry cur = hdmx->records; @@ -1871,7 +1876,7 @@ /* skip padding bytes */ if ( record_size > 0 && FT_STREAM_SKIP( record_size ) ) - goto Exit; + goto Exit; } } diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index 444c27acc..cff40e505 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -334,6 +334,13 @@ FT_Bool large = FT_BOOL( range->index_format == 1 ); + + if ( range->last_glyph < range->first_glyph ) + { + error = SFNT_Err_Invalid_File_Format; + goto Exit; + } + num_glyphs = range->last_glyph - range->first_glyph + 1L; range->num_glyphs = num_glyphs; num_glyphs++; /* XXX: BEWARE - see spec */ @@ -519,14 +526,14 @@ FT_ULong count2 = strike->num_ranges; - if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) ) - goto Exit; - /* read each range */ if ( FT_STREAM_SEEK( table_base + strike->ranges_offset ) || FT_FRAME_ENTER( strike->num_ranges * 8L ) ) goto Exit; + if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) ) + goto Exit; + range = strike->sbit_ranges; while ( count2 > 0 ) { diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c index 0c3ee44d5..572de844f 100644 --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -426,6 +426,8 @@ flag = (FT_Byte*)outline->tags; flag_limit = flag + n_points; + FT_ASSERT( flag != NULL ); + while ( flag < flag_limit ) { if ( --byte_len < 0 )