ref: b03c4a0a3f033dc1477404193734b964b4647a35
parent: 3abf617b5e83a5cbe588169844fe931e7b91e50f
author: Dirk Müller <[email protected]>
date: Fri Jul 22 01:24:11 EDT 2011
[psaux, type1] Fix null pointer dereferences. Found with font fuzzying. * src/psaux/t1decode.c (t1_decoder_parse_charstrings): Check `decoder->buildchar'. * src/type1/t1load.c (t1_load_keyword): Check `blend->num_designs'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2011-07-22 Dirk Müller <[email protected]>
+
+ [psaux, type1] Fix null pointer dereferences.
+
+ Found with font fuzzying.
+
+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings): Check
+ `decoder->buildchar'.
+
+ * src/type1/t1load.c (t1_load_keyword): Check `blend->num_designs'.
+
2011-07-20 Chris Morgan <[email protected]>
Add FT_CONFIG_OPTION_DISABLE_STREAM_SUPPORT.
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -397,7 +397,7 @@
FT_ASSERT( ( decoder->len_buildchar == 0 ) ==
( decoder->buildchar == NULL ) );
- if ( decoder->len_buildchar > 0 )
+ if ( decoder->buildchar && decoder->len_buildchar > 0 )
ft_memset( &decoder->buildchar[0],
0,
sizeof( decoder->buildchar[0] ) * decoder->len_buildchar );
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -4,8 +4,7 @@
/* */
/* Type 1 font loader (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */
-/* 2010 by */
+/* Copyright 1996-2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -921,6 +920,9 @@
FT_UInt max_objects;
PS_Blend blend = face->blend;
+
+ if ( blend && blend->num_designs == 0 )
+ blend = NULL;
/* if the keyword has a dedicated callback, call it */
if ( field->type == T1_FIELD_TYPE_CALLBACK )