diff --git a/ChangeLog b/ChangeLog index e6d06025..a377b86f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,13 +1,27 @@ +2010-09-19 Werner Lemberg + + Minor fixes. + + * src/cff/cffload.c (cff_charset_compute_cids): `charset->sids[i]' + is `FT_UShort'. + (cff_index_access_element): Don't use additions in comparison. + * src/sfnt/ttpost.c (load_format_20): Make `post_limit' of type + `FT_Long'. + Don't use additions in comparison. + Improve tracing messages. + (load_format_25, load_post_names): Make `post_limit' of type + `FT_Long'. + 2010-09-19 suzuki toshiya [cff] Truncate the element length at the end of the stream. See Savannah bug #30975. - * src/cff/cffload.c (cff_index_access_element): `off2', the - offset to the next element is truncated at the end of the - stream to prevent invalid I/O. As `off1', the offset to the - requested element has been checked by FT_STREAM_SEEK(), - `off2' should be checked similarly. + * src/cff/cffload.c (cff_index_access_element): `off2', the offset + to the next element is truncated at the end of the stream to prevent + invalid I/O. As `off1', the offset to the requested element has + been checked by FT_STREAM_SEEK(), `off2' should be checked + similarly. 2010-09-19 suzuki toshiya @@ -15,17 +29,17 @@ See Savannah bug #30975. * src/cff/cffload.c (cff_charset_compute_cids): Ignore CID if - greater than 0xFFFFU. CFF font spec does not mention about - maximum CID in the font, but PostScript and PDF spec define - that maximum CID is 0xFFFFU. + greater than 0xFFFFU. CFF font spec does not mention maximum CID in + the font, but PostScript and PDF spec define that maximum CID is + 0xFFFFU. 2010-09-19 suzuki toshiya [cff] Make trace message in cff_charset_load() verbose. See Savannah bug #30975. - * src/cff/cffload.c (cff_charset_load): Report the original - `nleft' and truncated `nleft'. + * src/cff/cffload.c (cff_charset_load): Report the original `nleft' + and truncated `nleft'. 2010-09-19 suzuki toshiya @@ -33,45 +47,47 @@ See Savannah bug #30975. * src/cff/cffload.c (cff_charset_compute_cids): Don't increment - max_cid after detecting max CID. The array CFF_Charset->cids - is allocated by max_cid + 1. - (cff_charset_cid_to_gindex): Permit CID is less than or equal - to CFF_Charset->max_cid. + max_cid after detecting max CID. The array CFF_Charset->cids is + allocated by max_cid + 1. + (cff_charset_cid_to_gindex): Permit CID is less than or equal to + CFF_Charset->max_cid. * src/cff/cffobjs.c (cff_face_init): FT_Face->num_glyphs is calculated as CFF_Charset->max_cid + 1. 2010-09-19 suzuki toshiya [truetype] Sanitize the broken offsets in `loca'. + See Savannah bug #31040. * src/truetype/ttpload.c (tt_face_get_location): If `pos1', the offset to the requested entry in `glyf' exceeds the end of the - table, return offset=0, length=0. If `pos2', the offset to the - next entry in `glyf' exceeds the end of the table, truncate - the entry length at the end of `glyf' table. - See Savannah bug #31040. + table, return offset=0, length=0. If `pos2', the offset to the next + entry in `glyf' exceeds the end of the table, truncate the entry + length at the end of `glyf' table. 2010-09-19 suzuki toshiya [sfnt] Prevent overrunning in `post' table parser. + See Savannah bug #31040. - * src/sfnt/ttpost.c (load_post_names): Get the length of - `post' table and pass the limit of `post' table to - load_format_20() and load_format_25(). - (load_format_20): Stop the parsing when we reached at the - limit of `post' table. If more glyph names are required, - they are filled by NULL names. See Savannah bug #31040. + * src/sfnt/ttpost.c (load_post_names): Get the length of `post' + table and pass the limit of `post' table to load_format_20() and + load_format_25(). + (load_format_20): Stop the parsing when we reached at the limit of + `post' table. If more glyph names are required, they are filled by + NULL names. 2010-09-17 suzuki toshiya [truetype] Don't duplicate size->twilight structure to be freed. + See Savannah bug #31040 for detail. * src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate FT_GlyphZoneRec size->twilight to be freed. If duplicated, FT_FREE() erases the duplicated pointers only and leave original pointers. They can cause the double-free crash when the burst - errors occur in TrueType interpreter and free_buffer_in_size() - is invoked repeatedly. See Savannah bug #31040 for detail. + errors occur in TrueType interpreter and free_buffer_in_size() is + invoked repeatedly. 2010-09-15 Werner Lemberg diff --git a/src/cff/cffload.c b/src/cff/cffload.c index c0f21097..000cbe3a 100644 --- a/src/cff/cffload.c +++ b/src/cff/cffload.c @@ -519,9 +519,10 @@ } } - /* XXX: should check off2 does not exceed the end of this entry */ - /* at present, only truncate off 2 at the end of this stream */ - if ( idx->data_offset + off2 - 1 > stream->size ) + /* XXX: should check off2 does not exceed the end of this entry; */ + /* at present, only truncate off2 at the end of this stream */ + if ( off2 > stream->size + 1 || + idx->data_offset > stream->size - off2 + 1 ) { FT_ERROR(( "cff_index_access_element:" " offset to next entry (%d)" @@ -791,16 +792,11 @@ for ( i = 0; i < num_glyphs; i++ ) { - if ( charset->sids[i] > 0xFFFFU ) - FT_ERROR(( "cff_charset_compute_cids():" - " ignore CID (0x%lx) for SID (0x%lx)," - " greater than PS/PDF spec\n", - charset->sids[i], i )); - else if ( charset->sids[i] > max_cid ) + if ( charset->sids[i] > max_cid ) max_cid = charset->sids[i]; } - if ( FT_NEW_ARRAY( charset->cids, max_cid + 1 ) ) + if ( FT_NEW_ARRAY( charset->cids, (FT_ULong)max_cid + 1 ) ) goto Exit; /* When multiple GIDs map to the same CID, we choose the lowest */ diff --git a/src/sfnt/ttpost.c b/src/sfnt/ttpost.c index 5059fd55..642f1ab7 100644 --- a/src/sfnt/ttpost.c +++ b/src/sfnt/ttpost.c @@ -5,7 +5,7 @@ /* Postcript name table processing for TrueType and OpenType fonts */ /* (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009 by */ +/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -154,7 +154,7 @@ static FT_Error load_format_20( TT_Face face, FT_Stream stream, - FT_ULong post_limit ) + FT_Long post_limit ) { FT_Memory memory = stream->memory; FT_Error error; @@ -231,30 +231,34 @@ FT_UInt len; - FT_TRACE7(( "load_format_20: %d byte left in post table\n", - post_limit - FT_STREAM_POS() )); - if ( FT_STREAM_POS() >= post_limit ) { FT_ERROR(( "load_format_20:" - " all entries in post table is already parsed," - " put NULL name for gid=%d\n", n )); + " all entries in post table are already parsed," + " using NULL for gid %d\n", n )); len = 0; } - else if ( FT_READ_BYTE( len ) ) - goto Fail1; + else + { + FT_TRACE6(( "load_format_20: %d byte left in post table\n", + post_limit - FT_STREAM_POS() )); - if ( len > 0 && FT_STREAM_POS() + len > post_limit ) + if ( FT_READ_BYTE( len ) ) + goto Fail1; + } + + if ( (FT_Int)len > post_limit || + FT_STREAM_POS() > post_limit - (FT_Int)len ) { FT_ERROR(( "load_format_20:" - " too large string length (%d)" - " truncate at the end of post table (%d byte left)\n", + " exceeding string length (%d)," + " truncating at end of post table (%d byte left)\n", len, post_limit - FT_STREAM_POS() )); len = FT_MAX( 0, post_limit - FT_STREAM_POS() ); } if ( FT_NEW_ARRAY( name_strings[n], len + 1 ) || - FT_STREAM_READ ( name_strings[n], len ) ) + FT_STREAM_READ( name_strings[n], len ) ) goto Fail1; name_strings[n][len] = '\0'; @@ -294,7 +298,7 @@ static FT_Error load_format_25( TT_Face face, FT_Stream stream, - FT_ULong post_limit ) + FT_Long post_limit ) { FT_Memory memory = stream->memory; FT_Error error; @@ -302,6 +306,8 @@ FT_Int num_glyphs; FT_Char* offset_table = 0; + FT_UNUSED( post_limit ); + /* UNDOCUMENTED! This value appears only in the Apple TT specs. */ if ( FT_READ_USHORT( num_glyphs ) ) @@ -361,7 +367,8 @@ FT_Stream stream; FT_Error error; FT_Fixed format; - FT_ULong post_len, post_limit; + FT_ULong post_len; + FT_Long post_limit; /* get a stream for the face's resource */