diff options
Diffstat (limited to 'freetype/src/cid')
-rw-r--r-- | freetype/src/cid/cidload.c | 26 | ||||
-rw-r--r-- | freetype/src/cid/cidriver.c | 5 |
2 files changed, 25 insertions, 6 deletions
diff --git a/freetype/src/cid/cidload.c b/freetype/src/cid/cidload.c index 3bb359446..5f712bcf1 100644 --- a/freetype/src/cid/cidload.c +++ b/freetype/src/cid/cidload.c @@ -4,7 +4,7 @@ /* */ /* CID-keyed Type1 font loader (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */ +/* Copyright 1996-2006, 2009, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -110,7 +110,7 @@ CID_FaceDict dict; - if ( parser->num_dict < 0 ) + if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts ) { FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n", keyword->ident )); @@ -158,7 +158,7 @@ FT_Fixed temp_scale; - if ( parser->num_dict >= 0 ) + if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) { dict = face->cid.font_dicts + parser->num_dict; matrix = &dict->font_matrix; @@ -249,7 +249,7 @@ CID_FaceDict dict; - if ( parser->num_dict >= 0 ) + if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) { dict = face->cid.font_dicts + parser->num_dict; @@ -413,12 +413,25 @@ FT_Byte* p; + /* Check for possible overflow. */ + if ( num_subrs == FT_UINT_MAX ) + { + error = CID_Err_Syntax_Error; + goto Fail; + } + /* reallocate offsets array if needed */ if ( num_subrs + 1 > max_offsets ) { FT_UInt new_max = FT_PAD_CEIL( num_subrs + 1, 4 ); + if ( new_max <= max_offsets ) + { + error = CID_Err_Syntax_Error; + goto Fail; + } + if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) ) goto Fail; @@ -436,6 +449,11 @@ FT_FRAME_EXIT(); + /* offsets must be ordered */ + for ( count = 1; count <= num_subrs; count++ ) + if ( offsets[count - 1] > offsets[count] ) + goto Fail; + /* now, compute the size of subrs charstrings, */ /* allocate, and read them */ data_len = offsets[num_subrs] - offsets[0]; diff --git a/freetype/src/cid/cidriver.c b/freetype/src/cid/cidriver.c index 3a2d22532..86ee3bba3 100644 --- a/freetype/src/cid/cidriver.c +++ b/freetype/src/cid/cidriver.c @@ -4,7 +4,7 @@ /* */ /* CID driver interface (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2008, 2009 by */ +/* Copyright 1996-2004, 2006, 2008, 2009, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -91,7 +91,8 @@ (PS_GetFontInfoFunc) cid_ps_get_font_info, (PS_GetFontExtraFunc) cid_ps_get_font_extra, (PS_HasGlyphNamesFunc) NULL, /* unsupported with CID fonts */ - (PS_GetFontPrivateFunc)NULL /* unsupported */ + (PS_GetFontPrivateFunc)NULL, /* unsupported */ + (PS_GetFontValueFunc) NULL /* not implemented */ }; |