shithub: freetype+ttf2subf

Download patch

ref: 2cdc4562f873237f1c77d43540537c7a721d3fd8
parent: 8fa69a88d75fd374ea86a9869f6e74a924926e49
author: Dave Arnold <[email protected]>
date: Thu Dec 4 01:10:16 EST 2014 

[cff] Fix Savannah bug #43661.

* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,
cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after
hintmask is constructed.

* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to
avoid reading past end of hintmask.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2014-12-04  Dave Arnold  <[email protected]>
+
+	[cff] Fix Savannah bug #43661.
+
+	* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,
+	cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after
+	hintmask is constructed.
+
+	* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to
+	avoid reading past end of hintmask.
+
 2014-12-03  Werner Lemberg  <[email protected]>
 
 	docs/CHANGES: Updated.
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -794,8 +794,11 @@
     maskPtr      = cf2_hintmask_getMaskPtr( &tempHintMask );
 
     /* use the hStem hints only, which are first in the mask */
-    /* TODO: compare this to cffhintmaskGetBitCount */
     bitCount = cf2_arrstack_size( hStemHintArray );
+
+    /* Defense-in-depth.  Should never return here. */
+    if ( bitCount > hintMask->bitCount )
+        return;
 
     /* synthetic embox hints get highest priority */
     if ( font->blues.doEmBoxHints )
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Adobe's CFF Interpreter (body).                                      */
 /*                                                                         */
-/*  Copyright 2007-2013 Adobe Systems Incorporated.                        */
+/*  Copyright 2007-2014 Adobe Systems Incorporated.                        */
 /*                                                                         */
 /*  This software, and all works of authorship, whether in source or       */
 /*  object code form as indicated by the copyright notice(s) included      */
@@ -593,8 +593,11 @@
 
         /* never add hints after the mask is computed */
         if ( cf2_hintmask_isValid( &hintMask ) )
+        {
           FT_TRACE4(( "cf2_interpT2CharString:"
                       " invalid horizontal hint mask\n" ));
+          break;
+        }
 
         cf2_doStems( font,
                      opStack,
@@ -614,8 +617,11 @@
 
         /* never add hints after the mask is computed */
         if ( cf2_hintmask_isValid( &hintMask ) )
+        {
           FT_TRACE4(( "cf2_interpT2CharString:"
                       " invalid vertical hint mask\n" ));
+          break;
+        }
 
         cf2_doStems( font,
                      opStack,
@@ -1141,15 +1147,16 @@
         /* `cf2_hintmask_read' (which also traces the mask bytes) */
         FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" ));
 
-        /* if there are arguments on the stack, there this is an */
-        /* implied cf2_cmdVSTEMHM                                */
-        if ( cf2_stack_count( opStack ) != 0 )
+        /* never add hints after the mask is computed */
+        if ( cf2_stack_count( opStack ) > 1    &&
+             cf2_hintmask_isValid( &hintMask ) )
         {
-          /* never add hints after the mask is computed */
-          if ( cf2_hintmask_isValid( &hintMask ) )
-            FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
+          FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
+          break;
         }
 
+        /* if there are arguments on the stack, there this is an */
+        /* implied cf2_cmdVSTEMHM                                */
         cf2_doStems( font,
                      opStack,
                      &vStemHintArray,