ref: 9bcfab87581d7ed0cc4dd62bc24e701e5aff5725
parent: a32682f17668490c0bbde06a120a47372eb9dea2
author: John Tytgat <[email protected]>
date: Tue Aug 6 04:55:19 EDT 2013
Fix Savannah bug #39702. * src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset != 0'; this stronger test is mandated by the CFF specification. Fix test for INDEX structures which have one or more empty entries at the end.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2013-08-06 John Tytgat <[email protected]>
+
+ Fix Savannah bug #39702.
+
+ * src/cff/cffload.c (cff_index_get_pointers): Check for `cur_offset
+ != 0'; this stronger test is mandated by the CFF specification.
+ Fix test for INDEX structures which have one or more empty entries
+ at the end.
+
2013-08-05 Werner Lemberg <[email protected]>
Fix gcc pragmas, part 2.
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -414,7 +414,7 @@
cur_offset = idx->offsets[0] - 1;
/* sanity check */
- if ( cur_offset >= idx->data_size )
+ if ( cur_offset != 0 )
{FT_TRACE0(( "cff_index_get_pointers:"
" invalid first offset value %d set to zero\n",
@@ -432,11 +432,11 @@
FT_ULong next_offset = idx->offsets[n] - 1;
- /* empty slot + two sanity checks for invalid offset tables */
- if ( next_offset == 0 ||
- next_offset < cur_offset ||
- ( next_offset >= idx->data_size && n < idx->count ) )
+ /* two sanity checks for invalid offset tables */
+ if ( next_offset < cur_offset )
next_offset = cur_offset;
+ else if ( next_offset > idx->data_size )
+ next_offset = idx->data_size;
if ( !pool )
t[n] = org_bytes + next_offset;