ref: 4e659d7eadb2cb17c28f1c23ac77cebd7b7e3e33
parent: ca8e98d94ac08402ce2e52025ff4a37c8a09fdc0
author: Werner Lemberg <[email protected]>
date: Sat Sep 3 14:14:00 EDT 2016
[truetype] More fixes for handling of GX deltas. Problems reported by Bob Taylor <[email protected]>. * src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Fix rough sanity test for glyph variation array header size. Always set stream position before reading packed x and y deltas. Fix thinko w.r.t. `localpoints' array.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2016-09-03 Werner Lemberg <[email protected]>
+ [truetype] More fixes for handling of GX deltas.
+
+ Problems reported by Bob Taylor <[email protected]>.
+
+ * src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Fix rough
+ sanity test for glyph variation array header size.
+ Always set stream position before reading packed x and y deltas.
+ Fix thinko w.r.t. `localpoints' array.
+
+2016-09-03 Werner Lemberg <[email protected]>
+
[ftrandom] Various fixes.
* src/tools/ftrandom/ftrandom.c (GOOD_FONTS_DIR): Provide better
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1894,7 +1894,8 @@
offsetToData = FT_GET_USHORT();
/* rough sanity test */
- if ( offsetToData + tupleCount * 4 > blend->gvar_size )
+ if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
+ blend->gvar_size )
{FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
" invalid glyph variation array header\n" ));
@@ -1979,10 +1980,10 @@
here = FT_Stream_FTell( stream );
+ FT_Stream_SeekSet( stream, offsetToData );
+
if ( tupleIndex & GX_TI_PRIVATE_POINT_NUMBERS )
{- FT_Stream_SeekSet( stream, offsetToData );
-
localpoints = ft_var_readpackedpoints( stream,
blend->gvar_size,
&point_count );
@@ -2045,9 +2046,6 @@
#endif
}
- else if ( localpoints == NULL )
- ; /* failure, ignore it */
-
else
{#ifdef FT_DEBUG_LEVEL_TRACE
@@ -2065,7 +2063,7 @@
for ( j = 0; j < point_count; j++ )
{- FT_UShort idx = localpoints[j];
+ FT_UShort idx = points[j];
if ( idx >= n_points )