ref: 3d083fc213c7df18662e1c452b2f8ad56bfa2c4c
parent: 39af82ebbf3b55f45300eccc7660f388efd09d0b
author: Werner Lemberg <[email protected]>
date: Tue Jul 11 20:24:48 EDT 2017
* src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo. Also improve tracing message. Problem reported as https://bugs.chromium.org/p/chromium/issues/detail?id=738919
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-07-12 Werner Lemberg <[email protected]>
+
+ * src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo.
+
+ Also improve tracing message.
+
+ Problem reported as
+
+ https://bugs.chromium.org/p/chromium/issues/detail?id=738919
+
2017-07-07 Werner Lemberg <[email protected]>
[cff] Integer overflow.
--- a/src/truetype/ttpload.c
+++ b/src/truetype/ttpload.c
@@ -247,13 +247,13 @@
if ( pos2 > face->glyf_len )
{/* We try to sanitize the last `loca' entry. */
- if ( gindex == face->num_locations - 1 )
+ if ( gindex == face->num_locations - 2 )
{FT_TRACE1(( "tt_face_get_location:"
- " too large offset (0x%08lx) found for glyph index %ld,\n"
+ " too large size (%ld bytes) found for glyph index %ld,\n"
" "
- " truncating at the end of `glyf' table (0x%08lx)\n",
- pos2, gindex + 1, face->glyf_len ));
+ " truncating at the end of `glyf' table to %ld bytes\n",
+ pos2 - pos1, gindex, face->glyf_len - pos1 ));
pos2 = face->glyf_len;
}
else