diff options
| author | marha <marha@users.sourceforge.net> | 2011-07-18 10:51:09 +0200 |
|---|---|---|
| committer | marha <marha@users.sourceforge.net> | 2011-07-18 10:51:09 +0200 |
| commit | 3c0d2312573b81e3067bea610a58b1940c075e05 (patch) | |
| tree | 3f025a27d813374f225957801226aa8ee829a33a /freetype/src/gxvalid/gxvmort2.c | |
| parent | ba033884541714680fd7552ab9d6c8817650f7d8 (diff) | |
| parent | 88101146f2ec7d53ffb793e365f05097ffd35fd3 (diff) | |
| download | vcxsrv-3c0d2312573b81e3067bea610a58b1940c075e05.tar.gz vcxsrv-3c0d2312573b81e3067bea610a58b1940c075e05.tar.bz2 vcxsrv-3c0d2312573b81e3067bea610a58b1940c075e05.zip | |
Merge remote-tracking branch 'origin/released'
Conflicts:
X11/Xfuncproto.h.in
X11/configure.ac
X11/keysymdef.h
freetype/include/freetype/internal/pcftypes.h
freetype/src/cache/ftcbasic.c
freetype/src/cache/ftccmap.c
mesalib/src/glsl/ir.h
mesalib/src/glsl/link_functions.cpp
mesalib/src/mesa/main/dlist.c
mesalib/src/mesa/program/prog_optimize.c
mesalib/src/mesa/state_tracker/st_program.c
pthreads/Makefile
Diffstat (limited to 'freetype/src/gxvalid/gxvmort2.c')
| -rw-r--r-- | freetype/src/gxvalid/gxvmort2.c | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/freetype/src/gxvalid/gxvmort2.c b/freetype/src/gxvalid/gxvmort2.c index 6f77cf39c..9e08fb792 100644 --- a/freetype/src/gxvalid/gxvmort2.c +++ b/freetype/src/gxvalid/gxvmort2.c @@ -155,8 +155,7 @@ ligActionOffset, lat_base - p )); /* FontValidator, ftxvalidator, ftxdumperfuser warn but continue */ - if ( valid->root->level >= FT_VALIDATE_PARANOID ) - FT_INVALID_OFFSET; + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); } else if ( lat_limit < p ) { @@ -164,23 +163,46 @@ ligActionOffset, p - lat_limit )); /* FontValidator, ftxvalidator, ftxdumperfuser warn but continue */ - if ( valid->root->level >= FT_VALIDATE_PARANOID ) - FT_INVALID_OFFSET; + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); } else { /* validate entry in ligActionTable */ FT_ULong lig_action; +#ifdef GXV_LOAD_UNUSED_VARS FT_UShort last; FT_UShort store; +#endif FT_ULong offset; lig_action = FT_NEXT_ULONG( p ); +#ifdef GXV_LOAD_UNUSED_VARS last = (FT_UShort)( ( lig_action >> 31 ) & 1 ); store = (FT_UShort)( ( lig_action >> 30 ) & 1 ); +#endif + /* Apple spec defines this offset as a word offset */ offset = lig_action & 0x3FFFFFFFUL; + if ( offset * 2 < optdata->ligatureTable ) + { + GXV_TRACE(( "too short offset 0x%08x:" + " 2 x offset < ligatureTable (%d byte rewind)\n", + offset, optdata->ligatureTable - offset * 2 )); + + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); + } else if ( offset * 2 > + optdata->ligatureTable + optdata->ligatureTable_length ) + { + GXV_TRACE(( "too long offset 0x%08x:" + " 2 x offset > ligatureTable + ligatureTable_length" + " (%d byte overrun)\n", + offset, + optdata->ligatureTable + optdata->ligatureTable_length + - offset * 2 )); + + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); + } } } @@ -194,8 +216,10 @@ FT_Bytes limit, GXV_Validator valid ) { +#ifdef GXV_LOAD_UNUSED_VARS FT_UShort setComponent; FT_UShort dontAdvance; +#endif FT_UShort offset; FT_UNUSED( state ); @@ -203,8 +227,10 @@ FT_UNUSED( limit ); +#ifdef GXV_LOAD_UNUSED_VARS setComponent = (FT_UShort)( ( flags >> 15 ) & 1 ); dontAdvance = (FT_UShort)( ( flags >> 14 ) & 1 ); +#endif offset = (FT_UShort)( flags & 0x3FFFU ); @@ -237,6 +263,9 @@ GXV_LIMIT_CHECK( 2 ); lig_gid = FT_NEXT_USHORT( p ); + + if ( valid->face->num_glyphs < lig_gid ) + GXV_SET_ERR_IF_PARANOID( FT_INVALID_GLYPH_ID ); } } GXV_EXIT; |