ref: 99fb3c3ab84ae089d1ec92bd38e71e900d1e7513
parent: 588e38e0707a427b940d61de0d6dbfbae88629e9
author: Werner Lemberg <[email protected]>
date: Sun Mar 5 06:32:41 EST 2017
Comment updates.
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -964,7 +964,7 @@
fvar_len < 20 ||
FT_READ_ULONG( version ) ||
FT_READ_USHORT( offset ) ||
- FT_STREAM_SKIP( 2 ) /* count_size_pairs */ ||
+ FT_STREAM_SKIP( 2 ) /* reserved */ ||
FT_READ_USHORT( num_axes ) ||
FT_READ_USHORT( axis_size ) ||
FT_READ_USHORT( num_instances ) ||
@@ -980,12 +980,6 @@
/* check that the data is bound by the table length */
if ( version != 0x00010000UL ||
-#if 0
- /* fonts like `JamRegular.ttf' have an incorrect value for */
- /* `count_size_pairs'; since value 2 is hard-coded in `fvar' */
- /* version 1.0, we simply ignore it */
- count_size_pairs != 2 ||
-#endif
axis_size != 20 ||
num_axes == 0 ||
/* `num_axes' limit implied by 16-bit `instance_size' */
@@ -992,6 +986,7 @@
num_axes > 0x3FFE ||
!( instance_size == 4 + 4 * num_axes ||
instance_size == 6 + 4 * num_axes ) ||
+ /* `num_instances' limit implied by limited range of name IDs */
num_instances > 0x7EFF ||
offset +
axis_size * num_axes +