diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-28 07:31:25 -0500 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-02-28 18:11:34 -0500 |
commit | 360fe27b55c93c9c6c86895dbbf5db3efc66cc43 (patch) | |
tree | 01d8b3510d6a36ceba211168268d09658a8aa68b /freetype/src/type42/t42parse.c | |
parent | a769ab7159f0718e189f1aaa8b6a5a046c66c52c (diff) | |
download | vcxsrv-360fe27b55c93c9c6c86895dbbf5db3efc66cc43.tar.gz vcxsrv-360fe27b55c93c9c6c86895dbbf5db3efc66cc43.tar.bz2 vcxsrv-360fe27b55c93c9c6c86895dbbf5db3efc66cc43.zip |
Updated to freetype 2.5.5
Conflicts:
freetype/src/base/ftbdf.c
freetype/src/base/fttype1.c
freetype/src/pfr/pfrobjs.c
Diffstat (limited to 'freetype/src/type42/t42parse.c')
-rw-r--r-- | freetype/src/type42/t42parse.c | 48 |
1 files changed, 33 insertions, 15 deletions
diff --git a/freetype/src/type42/t42parse.c b/freetype/src/type42/t42parse.c index d103f94e9..1be13d3f4 100644 --- a/freetype/src/type42/t42parse.c +++ b/freetype/src/type42/t42parse.c @@ -366,7 +366,7 @@ char* notdef = (char *)".notdef"; - T1_Add_Table( char_table, n, notdef, 8 ); + (void)T1_Add_Table( char_table, n, notdef, 8 ); } /* Now we need to read records of the form */ @@ -524,7 +524,7 @@ FT_Byte* limit = parser->root.limit; FT_Error error; FT_Int num_tables = 0; - FT_ULong count, ttf_size = 0; + FT_ULong count; FT_Long n, string_size, old_string_size, real_size; FT_Byte* string_buf = NULL; @@ -580,6 +580,12 @@ /* don't include delimiters */ string_size = (FT_Long)( ( parser->root.cursor - cur - 2 + 1 ) / 2 ); + if ( !string_size ) + { + FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( FT_REALLOC( string_buf, old_string_size, string_size ) ) goto Fail; @@ -617,7 +623,7 @@ if ( limit - parser->root.cursor < string_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } @@ -657,18 +663,25 @@ } else { - num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; - status = BEFORE_TABLE_DIR; - ttf_size = 12 + 16 * num_tables; + num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; + status = BEFORE_TABLE_DIR; + face->ttf_size = 12 + 16 * num_tables; - if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) ) + if ( (FT_ULong)( limit - parser->root.cursor ) < face->ttf_size ) + { + FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } + + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ case BEFORE_TABLE_DIR: /* the offset table is read; read the table directory */ - if ( count < ttf_size ) + if ( count < face->ttf_size ) { face->ttf_data[count++] = string_buf[n]; continue; @@ -687,24 +700,23 @@ len = FT_PEEK_ULONG( p ); /* Pad to a 4-byte boundary length */ - ttf_size += ( len + 3 ) & ~3; + face->ttf_size += ( len + 3 ) & ~3; } - status = OTHER_TABLES; - face->ttf_size = ttf_size; + status = OTHER_TABLES; /* there are no more than 256 tables, so no size check here */ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, - ttf_size + 1 ) ) + face->ttf_size + 1 ) ) goto Fail; } /* fall through */ case OTHER_TABLES: /* all other tables are just copied */ - if ( count >= ttf_size ) + if ( count >= face->ttf_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } @@ -850,6 +862,12 @@ break; T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; @@ -858,7 +876,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); error = FT_THROW( Invalid_File_Format ); |