ref: 5ef20c8c1d4de12a84b50ba497c2a358c90ec44b
parent: f29f741efbba0a5ce2f16464f648fb8d026ed4c8
author: suzuki toshiya <[email protected]>
date: Thu Jul 1 14:39:04 EDT 2010
Initial fix for Savannah bug #30306. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen' the length of fragment declared in the POST fragment header and prevent an underflow in length calculation. Some fonts set the length to zero in spite of the exist of following 16bit `type'. Reported by Robert Swiecki.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
2010-07-01 suzuki toshiya <[email protected]>
+ Initial fix for Savannah bug #30306.
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
+ the length of fragment declared in the POST fragment header
+ and prevent an underflow in length calculation. Some fonts
+ set the length to zero in spite of the exist of following
+ 16bit `type'. Reported by Robert Swiecki.
+
+2010-07-01 suzuki toshiya <[email protected]>
+
Additional fix for Savannah bug #30248 and #30249.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1547,7 +1547,16 @@
goto Exit;
if ( FT_READ_USHORT( flags ) )
goto Exit;
- rlen -= 2; /* the flags are part of the resource */
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+ i, offsets[i], rlen, flags ));
+
+ /* the flags are part of the resource, so rlen >= 2. */
+ /* but some fonts declare rlen = 0 for empty fragment */
+ if ( rlen > 2 )
+ rlen -= 2;
+ else
+ rlen = 0;
+
if ( ( flags >> 8 ) == type )
len += rlen;
else