shithub: freetype+ttf2subf

Download patch

ref: 19cb1127d4a2520126477382f35b489b48530b7e
parent: 7f0f40116daac4e9a8c11b8f3026fe0c07bdb901
author: Werner Lemberg <[email protected]>
date: Tue Sep 15 04:52:36 EDT 2015 

[type1, type42] Fix memory leaks (#45966).

* src/type1/t1load.c (parse_blend_axis_types): Handle multiple axis
names.
(parse_blend_design_map): Allow only a single design map.
(parse_encoding): Handle multiple encoding vectors.

* src/type42/t42parse.c (t42_parse_encoding): Handle multiple
encoding vectors.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
 2015-09-15  Werner Lemberg  <[email protected]>
 
+	[type1, type42] Fix memory leaks (#45966).
+
+	* src/type1/t1load.c (parse_blend_axis_types): Handle multiple axis
+	names.
+	(parse_blend_design_map): Allow only a single design map.
+	(parse_encoding): Handle multiple encoding vectors.
+
+	* src/type42/t42parse.c (t42_parse_encoding): Handle multiple
+	encoding vectors.
+
+2015-09-15  Werner Lemberg  <[email protected]>
+
 	[truetype] Fix integer type (#45965).
 
 	* src/truetype/ttobjs.c (tt_synth_sfnt_checksum): Implement it.
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -615,6 +615,15 @@
         goto Exit;
       }
 
+      name = (FT_Byte*)blend->axis_names[n];
+      if ( name )
+      {
+        FT_TRACE0(( "parse_blend_axis_types:"
+                    " overwriting axis name `%s' with `%*.s'\n",
+                    name, len, token->start ));
+        FT_FREE( name );
+      }
+
       if ( FT_ALLOC( blend->axis_names[n], len + 1 ) )
         goto Exit;
 
@@ -787,6 +796,13 @@
         goto Exit;
       }
 
+      if ( map->design_points )
+      {
+        FT_ERROR(( "parse_blend_design_map: duplicate table\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Exit;
+      }
+
       /* allocate design map data */
       if ( FT_NEW_ARRAY( map->design_points, num_points * 2 ) )
         goto Exit;
@@ -1204,6 +1220,14 @@
       T1_Skip_Spaces( parser );
       if ( parser->root.cursor >= limit )
         return;
+
+      /* PostScript happily allows overwriting of encoding arrays */
+      if ( encode->char_index )
+      {
+        FT_FREE( encode->char_index );
+        FT_FREE( encode->char_name );
+        T1_Release_Table( char_table );
+      }
 
       /* we use a T1_Table to store our charnames */
       loader->num_chars = encode->num_chars = count;
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -345,6 +345,14 @@
       if ( parser->root.cursor >= limit )
         return;
 
+      /* PostScript happily allows overwriting of encoding arrays */
+      if ( encode->char_index )
+      {
+        FT_FREE( encode->char_index );
+        FT_FREE( encode->char_name );
+        T1_Release_Table( char_table );
+      }
+
       /* we use a T1_Table to store our charnames */
       loader->num_chars = encode->num_chars = count;
       if ( FT_NEW_ARRAY( encode->char_index, count )     ||