From 360fe27b55c93c9c6c86895dbbf5db3efc66cc43 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sat, 28 Feb 2015 07:31:25 -0500
Subject: Updated to freetype 2.5.5

Conflicts:
	freetype/src/base/ftbdf.c
	freetype/src/base/fttype1.c
	freetype/src/pfr/pfrobjs.c
---
 freetype/src/type42/t42objs.c  | 10 ++++++++-
 freetype/src/type42/t42parse.c | 48 +++++++++++++++++++++++++++++-------------
 2 files changed, 42 insertions(+), 16 deletions(-)

(limited to 'freetype/src/type42')

diff --git a/freetype/src/type42/t42objs.c b/freetype/src/type42/t42objs.c
index 2595ecc25..66bdb6907 100644
--- a/freetype/src/type42/t42objs.c
+++ b/freetype/src/type42/t42objs.c
@@ -47,6 +47,12 @@
     if ( FT_ALLOC( face->ttf_data, 12 ) )
       goto Exit;
 
+    /* while parsing the font we always update `face->ttf_size' so that */
+    /* even in case of buggy data (which might lead to premature end of */
+    /* scanning without causing an error) the call to `FT_Open_Face' in */
+    /* `T42_Face_Init' passes the correct size                          */
+    face->ttf_size = 12;
+
     error = t42_parser_init( parser,
                              face->root.stream,
                              memory,
@@ -286,7 +292,9 @@
       FT_Open_Args  args;
 
 
-      args.flags       = FT_OPEN_MEMORY;
+      args.flags       = FT_OPEN_MEMORY | FT_OPEN_DRIVER;
+      args.driver      = FT_Get_Module( FT_FACE_LIBRARY( face ),
+                                        "truetype" );
       args.memory_base = face->ttf_data;
       args.memory_size = face->ttf_size;
 
diff --git a/freetype/src/type42/t42parse.c b/freetype/src/type42/t42parse.c
index d103f94e9..1be13d3f4 100644
--- a/freetype/src/type42/t42parse.c
+++ b/freetype/src/type42/t42parse.c
@@ -366,7 +366,7 @@
         char*  notdef = (char *)".notdef";
 
 
-        T1_Add_Table( char_table, n, notdef, 8 );
+        (void)T1_Add_Table( char_table, n, notdef, 8 );
       }
 
       /* Now we need to read records of the form                */
@@ -524,7 +524,7 @@
     FT_Byte*    limit  = parser->root.limit;
     FT_Error    error;
     FT_Int      num_tables = 0;
-    FT_ULong    count, ttf_size = 0;
+    FT_ULong    count;
 
     FT_Long     n, string_size, old_string_size, real_size;
     FT_Byte*    string_buf = NULL;
@@ -580,6 +580,12 @@
 
         /* don't include delimiters */
         string_size = (FT_Long)( ( parser->root.cursor - cur - 2 + 1 ) / 2 );
+        if ( !string_size )
+        {
+          FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array\n" ));
+          error = FT_THROW( Invalid_File_Format );
+          goto Fail;
+        }
         if ( FT_REALLOC( string_buf, old_string_size, string_size ) )
           goto Fail;
 
@@ -617,7 +623,7 @@
 
         if ( limit - parser->root.cursor < string_size )
         {
-          FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+          FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
           error = FT_THROW( Invalid_File_Format );
           goto Fail;
         }
@@ -657,18 +663,25 @@
           }
           else
           {
-            num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
-            status     = BEFORE_TABLE_DIR;
-            ttf_size   = 12 + 16 * num_tables;
+            num_tables     = 16 * face->ttf_data[4] + face->ttf_data[5];
+            status         = BEFORE_TABLE_DIR;
+            face->ttf_size = 12 + 16 * num_tables;
 
-            if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
+            if ( (FT_ULong)( limit - parser->root.cursor ) < face->ttf_size )
+            {
+              FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array\n" ));
+              error = FT_THROW( Invalid_File_Format );
+              goto Fail;
+            }
+
+            if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
               goto Fail;
           }
           /* fall through */
 
         case BEFORE_TABLE_DIR:
           /* the offset table is read; read the table directory */
-          if ( count < ttf_size )
+          if ( count < face->ttf_size )
           {
             face->ttf_data[count++] = string_buf[n];
             continue;
@@ -687,24 +700,23 @@
               len = FT_PEEK_ULONG( p );
 
               /* Pad to a 4-byte boundary length */
-              ttf_size += ( len + 3 ) & ~3;
+              face->ttf_size += ( len + 3 ) & ~3;
             }
 
-            status         = OTHER_TABLES;
-            face->ttf_size = ttf_size;
+            status = OTHER_TABLES;
 
             /* there are no more than 256 tables, so no size check here */
             if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
-                             ttf_size + 1 ) )
+                             face->ttf_size + 1 ) )
               goto Fail;
           }
           /* fall through */
 
         case OTHER_TABLES:
           /* all other tables are just copied */
-          if ( count >= ttf_size )
+          if ( count >= face->ttf_size )
           {
-            FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+            FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
             error = FT_THROW( Invalid_File_Format );
             goto Fail;
           }
@@ -850,6 +862,12 @@
         break;
 
       T1_Skip_PS_Token( parser );
+      if ( parser->root.cursor >= limit )
+      {
+        FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Fail;
+      }
       if ( parser->root.error )
         return;
 
@@ -858,7 +876,7 @@
         FT_PtrDist  len;
 
 
-        if ( cur + 1 >= limit )
+        if ( cur + 2 >= limit )
         {
           FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
           error = FT_THROW( Invalid_File_Format );
-- 
cgit v1.2.3