ReFuel/freetype
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* src/type1/t1parse.h (T1_ParserRec): Make `base_len' and

Browse Source 
`private_len' unsigned.

* src/type1/t1parse.c (read_pfb_tag): Make `asize' unsigned and read
it as such.
(T1_New_Parser, T1_Get_Private_Dict): Make `size' unsigned.


* src/base/ftstream.c (FT_Stream_Skip): Reject negative values.


* src/type1/t1load.c (parse_blend_design_positions): Check `n_axis'
for sane value.
Fix typo.


* src/psaux/psobjs.c (ps_table_add): Check `idx' correctly.


* src/truetype/ttinterp (Ins_SHC): Use BOUNDS() to check
`last_point'.


* src/sfnt/ttload.c (tt_face_load_max_profile): Limit
`maxTwilightPoints'.
This commit is contained in:
Werner Lemberg 2008-06-09 20:49:29 +00:00
parent d77e72295e
commit 7cb9ec0f1c
9 changed files with 81 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
ChangeLog
View File

@ -1,3 +1,31 @@
2008-06-08 Werner Lemberg <wl@gnu.org>
* src/type1/t1parse.h (T1_ParserRec): Make `base_len' and
`private_len' unsigned.
* src/type1/t1parse.c (read_pfb_tag): Make `asize' unsigned and read
it as such.
(T1_New_Parser, T1_Get_Private_Dict): Make `size' unsigned.
* src/base/ftstream.c (FT_Stream_Skip): Reject negative values.
* src/type1/t1load.c (parse_blend_design_positions): Check `n_axis'
for sane value.
Fix typo.
* src/psaux/psobjs.c (ps_table_add): Check `idx' correctly.
* src/truetype/ttinterp (Ins_SHC): Use BOUNDS() to check
`last_point'.
* src/sfnt/ttload.c (tt_face_load_max_profile): Limit
`maxTwilightPoints'.
2008-06-06 Werner Lemberg <wl@gnu.org>
* src/truetype/ttinterp.c (Ins_IP): Handle case `org_dist == 0'

2
docs/CHANGES
View File

@ -10,6 +10,8 @@ CHANGES BETWEEN 2.3.6 and 2.3.5
it's always possible to manually select an Apple Unicode cmap if
desired.
- Many bug fixes to the TrueType bytecode interpreter.
- Improved Mac support.
- Subsetted CID-keyed CFFs are now supported correctly.

5
src/base/ftstream.c
View File

@ -4,7 +4,7 @@
/* */
/* I/O stream support (body). */
/* */
/* Copyright 2000-2001, 2002, 2004, 2005, 2006 by */
/* Copyright 2000-2001, 2002, 2004, 2005, 2006, 2008 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -89,6 +89,9 @@
FT_Stream_Skip( FT_Stream stream,
FT_Long distance )
{
if ( distance < 0 )
return FT_Err_Invalid_Stream_Operation;
return FT_Stream_Seek( stream, (FT_ULong)( stream->pos + distance ) );
}

4
src/psaux/psobjs.c
View File

@ -4,7 +4,7 @@
/* */
/* Auxiliary functions for PostScript fonts (body). */
/* */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007 by */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -169,7 +169,7 @@
void* object,
FT_PtrDist length )
{
if ( idx < 0 || idx > table->max_elems )
if ( idx < 0 || idx >= table->max_elems )
{
FT_ERROR(( "ps_table_add: invalid index\n" ));
return PSaux_Err_Invalid_Argument;

11
src/sfnt/ttload.c
View File

@ -5,7 +5,7 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (body). */
/* */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007 by */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -618,6 +618,15 @@
if ( maxProfile->maxFunctionDefs == 0 )
maxProfile->maxFunctionDefs = 64;
/* we add 4 phantom points later */
if ( maxProfile->maxTwilightPoints > ( 0xFFFFU - 4 ) )
{
FT_ERROR(( "Too much twilight points in `maxp' table;\n" ));
FT_ERROR(( " some glyphs might be rendered incorrectly.\n" ));
maxProfile->maxTwilightPoints = 0xFFFFU - 4;
}
}
FT_TRACE3(( "numGlyphs: %u\n", maxProfile->numGlyphs ));

2
src/truetype/ttinterp.c
View File

@ -5449,7 +5449,7 @@
/* XXX: this is probably wrong... at least it prevents memory */
/* corruption when zp2 is the twilight zone */
if ( last_point > CUR.zp2.n_points )
if ( BOUNDS( last_point, CUR.zp2.n_points ) )
{
if ( CUR.zp2.n_points > 0 )
last_point = (FT_UShort)(CUR.zp2.n_points - 1);

11
src/type1/t1load.c
View File

@ -674,7 +674,7 @@
for ( n = 0; n < num_designs; n++ )
{
T1_TokenRec axis_tokens[T1_MAX_MM_DESIGNS];
T1_TokenRec axis_tokens[T1_MAX_MM_AXIS];
T1_Token token;
FT_Int axis, n_axis;
@ -687,6 +687,15 @@
if ( n == 0 )
{
if ( n_axis <= 0 || n_axis > T1_MAX_MM_AXIS )
{
FT_ERROR(( "parse_blend_design_positions:" ));
FT_ERROR(( " invalid number of axes: %d\n",
n_axis ));
error = T1_Err_Invalid_File_Format;
goto Exit;
}
num_axis = n_axis;
error = t1_allocate_blend( face, num_designs, num_axis );
if ( error )

37
src/type1/t1parse.c
View File

@ -4,7 +4,7 @@
/* */
/* Type 1 parser (body). */
/* */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005 by */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -65,14 +65,16 @@
/*************************************************************************/
/* see Adobe Technical Note 5040.Download_Fonts.pdf */
static FT_Error
read_pfb_tag( FT_Stream stream,
FT_UShort *atag,
FT_Long *asize )
FT_ULong *asize )
{
FT_Error error;
FT_UShort tag;
FT_Long size;
FT_ULong size;
*atag = 0;
@ -82,7 +84,7 @@
{
if ( tag == 0x8001U || tag == 0x8002U )
{
if ( !FT_READ_LONG_LE( size ) )
if ( !FT_READ_ULONG_LE( size ) )
*asize = size;
}
@ -100,22 +102,25 @@
{
FT_Error error;
FT_UShort tag;
FT_Long size;
FT_ULong dummy;
if ( FT_STREAM_SEEK( 0 ) )
goto Exit;
error = read_pfb_tag( stream, &tag, &size );
error = read_pfb_tag( stream, &tag, &dummy );
if ( error )
goto Exit;
/* We assume that the first segment in a PFB is always encoded as */
/* text. This might be wrong (and the specification doesn't insist */
/* on that), but we have never seen a counterexample. */
if ( tag != 0x8001U && FT_STREAM_SEEK( 0 ) )
goto Exit;
if ( !FT_FRAME_ENTER( header_length ) )
{
error = 0;
error = T1_Err_Ok;
if ( ft_memcmp( stream->cursor, header_string, header_length ) != 0 )
error = T1_Err_Unknown_File_Format;
@ -136,7 +141,7 @@
{
FT_Error error;
FT_UShort tag;
FT_Long size;
FT_ULong size;
psaux->ps_parser_funcs->init( &parser->root, 0, 0, memory );
@ -170,19 +175,19 @@
/* Here a short summary of what is going on: */
/* */
/* When creating a new Type 1 parser, we try to locate and load */
/* the base dictionary if this is possible (i.e. for PFB */
/* the base dictionary if this is possible (i.e., for PFB */
/* files). Otherwise, we load the whole font into memory. */
/* */
/* When `loading' the base dictionary, we only setup pointers */
/* in the case of a memory-based stream. Otherwise, we */
/* allocate and load the base dictionary in it. */
/* */
/* parser->in_pfb is set if we are in a binary (".pfb") font. */
/* parser->in_pfb is set if we are in a binary (`.pfb') font. */
/* parser->in_memory is set if we have a memory stream. */
/* */
/* try to compute the size of the base dictionary; */
/* look for a Postscript binary file tag, i.e 0x8001 */
/* try to compute the size of the base dictionary; */
/* look for a Postscript binary file tag, i.e., 0x8001 */
if ( FT_STREAM_SEEK( 0L ) )
goto Exit;
@ -217,7 +222,7 @@
}
else
{
/* read segment in memory - this is clumsy, but so does the format */
/* read segment in memory -- this is clumsy, but so does the format */
if ( FT_ALLOC( parser->base_dict, size ) ||
FT_STREAM_READ( parser->base_dict, size ) )
goto Exit;
@ -260,7 +265,7 @@
FT_Stream stream = parser->stream;
FT_Memory memory = parser->root.memory;
FT_Error error = T1_Err_Ok;
FT_Long size;
FT_ULong size;
if ( parser->in_pfb )
@ -299,7 +304,7 @@
goto Fail;
}
if ( FT_STREAM_SEEK( start_pos ) ||
if ( FT_STREAM_SEEK( start_pos ) ||
FT_ALLOC( parser->private_dict, parser->private_len ) )
goto Fail;
@ -409,7 +414,7 @@
goto Exit;
}
size = (FT_Long)( parser->base_len - ( cur - parser->base_dict ) );
size = parser->base_len - ( cur - parser->base_dict );
if ( parser->in_memory )
{

6
src/type1/t1parse.h
View File

@ -4,7 +4,7 @@
/* */
/* Type 1 parser (specification). */
/* */
/* Copyright 1996-2001, 2002, 2003 by */
/* Copyright 1996-2001, 2002, 2003, 2008 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -64,10 +64,10 @@ FT_BEGIN_HEADER
FT_Stream stream;
FT_Byte* base_dict;
FT_Long base_len;
FT_ULong base_len;
FT_Byte* private_dict;
FT_Long private_len;
FT_ULong private_len;
FT_Bool in_pfb;
FT_Bool in_memory;