ref: 7f63105c072388e5a5674c0caafc7a560e31c95b
parent: 9f6426eb16c666c3545faf913af260214205c77c
author: Werner Lemberg <[email protected]>
date: Tue Jul 19 17:35:58 EDT 2016
[truetype] Sanitizer fix, second try. * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Fix boundary tests and use only one slot more.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-07-19 Werner Lemberg <[email protected]>
+ [truetype] Sanitizer fix, second try.
+
+ * src/truetype/ttgxvar.c (ft_var_readpackedpoints): Fix boundary
+ tests and use only one slot more.
+
+2016-07-19 Werner Lemberg <[email protected]>
+
[truetype] Sanitizer fix.
* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Increase array
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -159,9 +159,9 @@
}
/* in the nested loops below we increase `i' twice; */
- /* it is faster to simply allocate two more slots */
+ /* it is faster to simply allocate one more slot */
/* than to add another test within the loop */
- if ( FT_NEW_ARRAY( points, n + 2 ) )
+ if ( FT_NEW_ARRAY( points, n + 1 ) )
return NULL;
*point_cnt = n;
@@ -182,7 +182,7 @@
{first += FT_GET_USHORT();
points[i++] = first;
- if ( i == n )
+ if ( i >= n )
break;
}
}
@@ -195,7 +195,7 @@
{first += FT_GET_BYTE();
points[i++] = first;
- if ( i == n )
+ if ( i >= n )
break;
}
}