ref: 35bb214ae620400cd09a2cfaf3bacd66e179a1f6
parent: ba67957d5ead443f4b6b31805d6e780d54361ca4
author: Werner Lemberg <[email protected]>
date: Sat Mar 3 07:29:53 EST 2012
[cff] One more check against malformed font matrix. * src/cff/cffparse.c (cff_parse_font_matrix): Guard against `xx' and `yy' matrix coefficients being zero.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2012-03-03 Werner Lemberg <[email protected]>
+ [cff] One more check against malformed font matrix.
+
+ * src/cff/cffparse.c (cff_parse_font_matrix): Guard against `xx' and
+ `yy' matrix coefficients being zero.
+
+2012-03-03 Werner Lemberg <[email protected]>
+
Fix Savannah bug #35660.
For some divisions, we use casts to 32bit entities. Always guard
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -474,22 +474,11 @@
if ( scaling < 0 || scaling > 9 )
{- /* Return default matrix in case of unlikely values. */
-
FT_TRACE1(( "cff_parse_font_matrix:"
" strange scaling value for xx element (%d),\n"
" "
" using default matrix\n", scaling ));
-
- matrix->xx = 0x10000L;
- matrix->yx = 0;
- matrix->xy = 0;
- matrix->yy = 0x10000L;
- offset->x = 0;
- offset->y = 0;
- *upm = 1;
-
- goto Exit;
+ goto Default_matrix;
}
matrix->yx = cff_parse_fixed_scaled( data++, scaling );
@@ -498,6 +487,13 @@
offset->x = cff_parse_fixed_scaled( data++, scaling );
offset->y = cff_parse_fixed_scaled( data, scaling );
+ if ( matrix->xx == 0 || matrix->yy == 0 )
+ {+ FT_TRACE1(( "cff_parse_font_matrix:"
+ " xx or yy element is zero, using default matrix\n" ));
+ goto Default_matrix;
+ }
+
*upm = power_tens[scaling];
FT_TRACE4(( " [%f %f %f %f %f %f]\n",
@@ -508,6 +504,17 @@
(double)offset->x / *upm / 65536,
(double)offset->y / *upm / 65536 ));
}
+
+ goto Exit;
+
+ Default_matrix:
+ matrix->xx = 0x10000L;
+ matrix->yx = 0;
+ matrix->xy = 0;
+ matrix->yy = 0x10000L;
+ offset->x = 0;
+ offset->y = 0;
+ *upm = 1;
Exit:
return error;