ref: 685dd4f7b8e6437093424a1931f4b1cb72f8c900
parent: 33febc0fb224ae834bec9d7953c6b8c6e40aecf6
author: Werner Lemberg <[email protected]>
date: Wed Oct 13 01:15:44 EDT 2004
* src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer overflow. * src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input. Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work in case of failure. * src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals. (tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after frame test. * src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for `flag'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2004-10-11 Joshua Neal <[email protected]>
+
+ * src/sfnt/ttcmap.c (tt_face_build_cmaps): Check for pointer
+ overflow.
+
+ * src/sfnt/ttload.c (tt_face_load_hdmx): Protect against bad input.
+ Don't use FT_QNEW_ARRAY but FT_NEW_ARRAY to make deallocation work
+ in case of failure.
+
+ * src/sfnt/ttsbit.c (Load_SBit_Range): Check range intervals.
+ (tt_face_load_sbit_strikes): Allocate `strike_sbit_ranges' after
+ frame test.
+
+ * src/truetype/ttgload.c (TTLoad_Simple_Glyph): Add assertion for
+ `flag'.
+
2004-10-09 Werner Lemberg <[email protected]>
* docs/CHANGES: Updated.
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1935,7 +1935,9 @@
charmap.encoding = FT_ENCODING_NONE; /* will be filled later */
offset = TT_NEXT_ULONG( p );
- if ( offset && table + offset + 2 < limit )
+ if ( offset &&
+ table + offset + 2 < limit &&
+ table + offset >= table )
{FT_Byte* cmap = table + offset;
volatile FT_UInt format = TT_PEEK_USHORT( cmap );
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -1842,16 +1842,21 @@
FT_FRAME_EXIT();
+ if ( record_size < 0 || num_records < 0 )
+ return SFNT_Err_Invalid_File_Format;
+
/* Only recognize format 0 */
if ( hdmx->version != 0 )
goto Exit;
- if ( FT_QNEW_ARRAY( hdmx->records, num_records ) )
+ /* we can't use FT_QNEW_ARRAY here; otherwise tt_face_free_hdmx */
+ /* could fail during deallocation */
+ if ( FT_NEW_ARRAY( hdmx->records, num_records ) )
goto Exit;
hdmx->num_records = num_records;
- num_glyphs = face->root.num_glyphs;
- record_size -= num_glyphs + 2;
+ num_glyphs = face->root.num_glyphs;
+ record_size -= num_glyphs + 2;
{TT_HdmxEntry cur = hdmx->records;
@@ -1871,7 +1876,7 @@
/* skip padding bytes */
if ( record_size > 0 && FT_STREAM_SKIP( record_size ) )
- goto Exit;
+ goto Exit;
}
}
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -334,6 +334,13 @@
FT_Bool large = FT_BOOL( range->index_format == 1 );
+
+ if ( range->last_glyph < range->first_glyph )
+ {+ error = SFNT_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
num_glyphs = range->last_glyph - range->first_glyph + 1L;
range->num_glyphs = num_glyphs;
num_glyphs++; /* XXX: BEWARE - see spec */
@@ -519,12 +526,12 @@
FT_ULong count2 = strike->num_ranges;
- if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
- goto Exit;
-
/* read each range */
if ( FT_STREAM_SEEK( table_base + strike->ranges_offset ) ||
FT_FRAME_ENTER( strike->num_ranges * 8L ) )
+ goto Exit;
+
+ if ( FT_NEW_ARRAY( strike->sbit_ranges, strike->num_ranges ) )
goto Exit;
range = strike->sbit_ranges;
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -426,6 +426,8 @@
flag = (FT_Byte*)outline->tags;
flag_limit = flag + n_points;
+ FT_ASSERT( flag != NULL );
+
while ( flag < flag_limit )
{if ( --byte_len < 0 )