diff options
| author | marha <marha@users.sourceforge.net> | 2011-11-10 16:12:27 +0100 |
|---|---|---|
| committer | marha <marha@users.sourceforge.net> | 2011-11-10 16:12:27 +0100 |
| commit | 82e62cfbf79bc8c19946d034a0d5e14ce4fabb44 (patch) | |
| tree | 16003af05805301a8a23d3ba0048e29eaf0fca73 /freetype/src/lzw/ftzopen.c | |
| parent | 7381bc7b9f63b2a6bf9ea9cbe04614adfc4b2369 (diff) | |
| parent | d783adea42f29bd7917929597ca1031b70587e1d (diff) | |
| download | vcxsrv-82e62cfbf79bc8c19946d034a0d5e14ce4fabb44.tar.gz vcxsrv-82e62cfbf79bc8c19946d034a0d5e14ce4fabb44.tar.bz2 vcxsrv-82e62cfbf79bc8c19946d034a0d5e14ce4fabb44.zip | |
Merge remote-tracking branch 'origin/released'
Diffstat (limited to 'freetype/src/lzw/ftzopen.c')
| -rw-r--r-- | freetype/src/lzw/ftzopen.c | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/freetype/src/lzw/ftzopen.c b/freetype/src/lzw/ftzopen.c index 905eabb08..15a70778e 100644 --- a/freetype/src/lzw/ftzopen.c +++ b/freetype/src/lzw/ftzopen.c @@ -8,7 +8,7 @@ /* be used to parse compressed PCF fonts, as found with many X11 server */ /* distributions. */ /* */ -/* Copyright 2005, 2006, 2007, 2009 by David Turner. */ +/* Copyright 2005-2007, 2009, 2011 by David Turner. */ /* */ /* This file is part of the FreeType project, and may only be used, */ /* modified, and distributed under the terms of the FreeType project */ @@ -124,6 +124,15 @@ old_size = 0; } + /* requirement of the character stack larger than 1<<LZW_MAX_BITS */ + /* implies bug in the decompression code */ + if ( new_size > ( 1 << LZW_MAX_BITS ) ) + { + new_size = 1 << LZW_MAX_BITS; + if ( new_size == old_size ) + return -1; + } + if ( FT_RENEW_ARRAY( state->stack, old_size, new_size ) ) return -1; @@ -279,7 +288,7 @@ : state->max_free + 1; c = ft_lzwstate_get_code( state ); - if ( c < 0 ) + if ( c < 0 || c > 255 ) goto Eof; old_code = old_char = (FT_UInt)c; @@ -312,11 +321,12 @@ /* why not LZW_FIRST-256 ? */ state->free_ent = ( LZW_FIRST - 1 ) - 256; state->buf_clear = 1; - c = ft_lzwstate_get_code( state ); - if ( c < 0 ) - goto Eof; - code = (FT_UInt)c; + /* not quite right, but at least more predictable */ + old_code = 0; + old_char = 0; + + goto NextCode; } in_code = code; /* save code for later */ @@ -326,6 +336,10 @@ /* special case for KwKwKwK */ if ( code - 256U >= state->free_ent ) { + /* corrupted LZW stream */ + if ( code - 256U > state->free_ent ) + goto Eof; + FTLZW_STACK_PUSH( old_char ); code = old_code; } |