aboutsummaryrefslogtreecommitdiff
path: root/freetype/src/cid
diff options
context:
space:
mode:
Diffstat (limited to 'freetype/src/cid')
-rw-r--r--freetype/src/cid/cidload.c26
-rw-r--r--freetype/src/cid/cidriver.c5
2 files changed, 25 insertions, 6 deletions
diff --git a/freetype/src/cid/cidload.c b/freetype/src/cid/cidload.c
index 3bb359446..5f712bcf1 100644
--- a/freetype/src/cid/cidload.c
+++ b/freetype/src/cid/cidload.c
@@ -4,7 +4,7 @@
/* */
/* CID-keyed Type1 font loader (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */
+/* Copyright 1996-2006, 2009, 2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -110,7 +110,7 @@
CID_FaceDict dict;
- if ( parser->num_dict < 0 )
+ if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
{
FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",
keyword->ident ));
@@ -158,7 +158,7 @@
FT_Fixed temp_scale;
- if ( parser->num_dict >= 0 )
+ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
{
dict = face->cid.font_dicts + parser->num_dict;
matrix = &dict->font_matrix;
@@ -249,7 +249,7 @@
CID_FaceDict dict;
- if ( parser->num_dict >= 0 )
+ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
{
dict = face->cid.font_dicts + parser->num_dict;
@@ -413,12 +413,25 @@
FT_Byte* p;
+ /* Check for possible overflow. */
+ if ( num_subrs == FT_UINT_MAX )
+ {
+ error = CID_Err_Syntax_Error;
+ goto Fail;
+ }
+
/* reallocate offsets array if needed */
if ( num_subrs + 1 > max_offsets )
{
FT_UInt new_max = FT_PAD_CEIL( num_subrs + 1, 4 );
+ if ( new_max <= max_offsets )
+ {
+ error = CID_Err_Syntax_Error;
+ goto Fail;
+ }
+
if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
goto Fail;
@@ -436,6 +449,11 @@
FT_FRAME_EXIT();
+ /* offsets must be ordered */
+ for ( count = 1; count <= num_subrs; count++ )
+ if ( offsets[count - 1] > offsets[count] )
+ goto Fail;
+
/* now, compute the size of subrs charstrings, */
/* allocate, and read them */
data_len = offsets[num_subrs] - offsets[0];
diff --git a/freetype/src/cid/cidriver.c b/freetype/src/cid/cidriver.c
index 3a2d22532..86ee3bba3 100644
--- a/freetype/src/cid/cidriver.c
+++ b/freetype/src/cid/cidriver.c
@@ -4,7 +4,7 @@
/* */
/* CID driver interface (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2008, 2009 by */
+/* Copyright 1996-2004, 2006, 2008, 2009, 2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -91,7 +91,8 @@
(PS_GetFontInfoFunc) cid_ps_get_font_info,
(PS_GetFontExtraFunc) cid_ps_get_font_extra,
(PS_HasGlyphNamesFunc) NULL, /* unsupported with CID fonts */
- (PS_GetFontPrivateFunc)NULL /* unsupported */
+ (PS_GetFontPrivateFunc)NULL, /* unsupported */
+ (PS_GetFontValueFunc) NULL /* not implemented */
};