diff options
author | marha <marha@users.sourceforge.net> | 2011-07-18 10:51:09 +0200 |
---|---|---|
committer | marha <marha@users.sourceforge.net> | 2011-07-18 10:51:09 +0200 |
commit | 3c0d2312573b81e3067bea610a58b1940c075e05 (patch) | |
tree | 3f025a27d813374f225957801226aa8ee829a33a /freetype/src/sfnt/sfobjs.c | |
parent | ba033884541714680fd7552ab9d6c8817650f7d8 (diff) | |
parent | 88101146f2ec7d53ffb793e365f05097ffd35fd3 (diff) | |
download | vcxsrv-3c0d2312573b81e3067bea610a58b1940c075e05.tar.gz vcxsrv-3c0d2312573b81e3067bea610a58b1940c075e05.tar.bz2 vcxsrv-3c0d2312573b81e3067bea610a58b1940c075e05.zip |
Merge remote-tracking branch 'origin/released'
Conflicts:
X11/Xfuncproto.h.in
X11/configure.ac
X11/keysymdef.h
freetype/include/freetype/internal/pcftypes.h
freetype/src/cache/ftcbasic.c
freetype/src/cache/ftccmap.c
mesalib/src/glsl/ir.h
mesalib/src/glsl/link_functions.cpp
mesalib/src/mesa/main/dlist.c
mesalib/src/mesa/program/prog_optimize.c
mesalib/src/mesa/state_tracker/st_program.c
pthreads/Makefile
Diffstat (limited to 'freetype/src/sfnt/sfobjs.c')
-rw-r--r-- | freetype/src/sfnt/sfobjs.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/freetype/src/sfnt/sfobjs.c b/freetype/src/sfnt/sfobjs.c index 449c6b000..10041e4dc 100644 --- a/freetype/src/sfnt/sfobjs.c +++ b/freetype/src/sfnt/sfobjs.c @@ -4,7 +4,7 @@ /* */ /* SFNT object management (base). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010 by */ +/* Copyright 1996-2008, 2010-2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -356,7 +356,7 @@ FT_FRAME_START( 8 ), FT_FRAME_LONG( version ), - FT_FRAME_LONG( count ), + FT_FRAME_LONG( count ), /* this is ULong in the specs */ FT_FRAME_END }; @@ -390,6 +390,17 @@ if ( FT_STREAM_READ_FIELDS( ttc_header_fields, &face->ttc_header ) ) return error; + if ( face->ttc_header.count == 0 ) + return SFNT_Err_Invalid_Table; + + /* a rough size estimate: let's conservatively assume that there */ + /* is just a single table info in each subfont header (12 + 16*1 = */ + /* 28 bytes), thus we have (at least) `12 + 4*count' bytes for the */ + /* size of the TTC header plus `28*count' bytes for all subfont */ + /* headers */ + if ( (FT_ULong)face->ttc_header.count > stream->size / ( 28 + 4 ) ) + return SFNT_Err_Array_Too_Large; + /* now read the offsets of each font in the file */ if ( FT_NEW_ARRAY( face->ttc_header.offsets, face->ttc_header.count ) ) return error; @@ -536,7 +547,7 @@ FT_UNUSED( face_index ); /* Check parameters */ - + { FT_Int i; |