ref: 08c628d128e6fba3a7a7be610d459b0d7f556f07
parent: 9a56764037dfc01a89fe61f5c67971bf50343d00
author: Werner Lemberg <[email protected]>
date: Wed Feb 26 09:18:03 EST 2014
[cff] Fix Savannah bug #41693. * src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2014-02-26 Wermer Lemberg <[email protected]>
+ [cff] Fix Savannah bug #41693.
+
+ * src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
+
+2014-02-26 Wermer Lemberg <[email protected]>
+
[bdf] Fix Savannah bug #41692.
bdflib puts data from the input stream into a buffer in chunks of
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -4,7 +4,7 @@
/* */
/* OpenType and CFF data/program tables loader (body). */
/* */
-/* Copyright 1996-2013 by */
+/* Copyright 1996-2014 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -689,6 +689,13 @@
if ( FT_READ_USHORT( num_ranges ) )
goto Exit;
+ if ( !num_ranges )
+ {+ FT_TRACE0(( "CFF_Load_FD_Select: empty FDSelect array\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
fdselect->data_size = num_ranges * 3 + 2;
Load_Data:
@@ -719,7 +726,7 @@
break;
case 3:
- /* first, compare to cache */
+ /* first, compare to the cache */
if ( (FT_UInt)( glyph_index - fdselect->cache_first ) <
fdselect->cache_count )
{@@ -727,7 +734,7 @@
break;
}
- /* then, lookup the ranges array */
+ /* then, look up the ranges array */
{FT_Byte* p = fdselect->data;
FT_Byte* p_limit = p + fdselect->data_size;
@@ -750,7 +757,7 @@
/* update cache */
fdselect->cache_first = first;
- fdselect->cache_count = limit-first;
+ fdselect->cache_count = limit - first;
fdselect->cache_fd = fd2;
break;
}