ref: a08b2176c13a4b6d6e8cfa1f03f54eccf17d1331
parent: 23553d6d2b1d2a700b8ebc2e5dfabc9c7bc4cde1
author: Werner Lemberg <[email protected]>
date: Wed Mar 28 03:17:17 EDT 2007
* src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128 gracefully. (_bdf_set_default_spacing): Increase `name' buffer size to 256 and issue an error for longer names. (_bdf_parse_glyphs): Limit allowed number of glyphs in font to the number of code points in Unicode.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,20 +1,30 @@
+2007-03-28 Werner Lemberg <[email protected]>
+
+ * src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128
+ gracefully.
+ (_bdf_set_default_spacing): Increase `name' buffer size to 256 and
+ issue an error for longer names.
+ (_bdf_parse_glyphs): Limit allowed number of glyphs in font to the
+ number of code points in Unicode.
+
2007-03-26 David Turner <[email protected]>
- * src/truetype/ttinterp.c: last fix for the MD instruction bytecode and
- remove the FIX_BYTECODE macros from the sources. Woot, this looks good.
+ * src/truetype/ttinterp.c: Last fix for the `MD' instruction
+ bytecode and remove the FIX_BYTECODE macros from the sources.
- * src/autofit/aflatin.c (af_latin_metrics_init_blues): fix blues computations
- in order to ignore 1-point contours. These are never rasterized and in certain
- fonts correspond to mark-attach points that are very far from the glyph's
- real outline, ruining the computation.
+ * src/autofit/aflatin.c (af_latin_metrics_init_blues): Fix blues
+ computations in order to ignore 1-point contours. These are never
+ rasterized and correspond in certain fonts mark-attach points that
+ are very far from the glyph's real outline, ruining the computation.
- * src/autofit/afloader.c (af_loader_load_g): in the case of monospaced fonts,
- always set "rsb_delta" and "lsb_delta" to 0. Otherwise code that uses them
- will most certainly ruin the fixed advance property.
+ * src/autofit/afloader.c (af_loader_load_g): In the case of
+ monospaced fonts, always set `rsb_delta' and `lsb_delta' to 0.
+ Otherwise code that uses them will most certainly ruin the fixed
+ advance property.
- * docs/CHANGES, docs/VERSION, include/freetype/freetype.h,
- builds/unix/configure.raw, README, Jamfile: update documentation and bump version
- number to 2.3.3
+ * docs/CHANGES, docs/VERSION, include/freetype/freetype.h,
+ builds/unix/configure.raw, README, Jamfile: Update documentation and
+ bump version number to 2.3.3.
2007-03-26 suzuki toshiya <[email protected]>
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -385,8 +385,10 @@
} _bdf_parse_t;
-#define setsbit( m, cc ) ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
-#define sbitset( m, cc ) ( m[(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) )
+#define setsbit( m, cc ) \
+ ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) )
+#define sbitset( m, cc ) \
+ ( m[(FT_Byte)(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) )
static void
@@ -1130,7 +1132,7 @@
bdf_options_t* opts )
{unsigned long len;
- char name[128];
+ char name[256];
_bdf_list_t list;
FT_Memory memory;
FT_Error error = BDF_Err_Ok;
@@ -1149,6 +1151,13 @@
font->spacing = opts->font_spacing;
len = (unsigned long)( ft_strlen( font->name ) + 1 );
+ /* Limit ourselves to 256 characters in the font name. */
+ if ( len >= 256 )
+ {+ error = BDF_Err_Invalid_Argument;
+ goto Exit;
+ }
+
FT_MEM_COPY( name, font->name, len );
error = _bdf_list_split( &list, (char *)"-", name, len );
@@ -1466,6 +1475,14 @@
/* Make sure the number of glyphs is non-zero. */
if ( p->cnt == 0 )
font->glyphs_size = 64;
+
+ /* Limit ourselves to 1,114,112 glyphs in the font (this is the */
+ /* number of code points available in Unicode). */
+ if ( p->cnt >= 1114112UL )
+ {+ error = BDF_Err_Invalid_Argument;
+ goto Exit;
+ }
if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) )
goto Exit;