ref: e5c14d93b8a7524167516ce224c376fa0e414e64
parent: f4bc3f40b37ebdd162be3f96793bbb0e6851b6bb
author: Werner Lemberg <[email protected]>
date: Tue Jun 5 16:50:37 EDT 2007
* src/psaux/psobjs.c (ps_tocoordarray, ps_tofixedarray): Return -1 in case of parsing error. (ps_parser_load_field): Updated. * src/type1/t1load.c (parse_font_matrix): Updated.
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,13 @@
* src/winfnt/winfnt.c (FNT_Face_Init): Check `family_size'.
+
+ * src/psaux/psobjs.c (ps_tocoordarray, ps_tofixedarray): Return -1
+ in case of parsing error.
+ (ps_parser_load_field): Updated.
+
+ * src/type1/t1load.c (parse_font_matrix): Updated.
+
2007-06-04 Werner Lemberg <[email protected]>
* src/cid/cidgload.c (cid_load_glyph): Check `fd_select'.
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -785,8 +785,7 @@
if ( c == '[' )
ender = ']';
-
- if ( c == '{' )+ else if ( c == '{' )ender = '}';
if ( ender )
@@ -795,7 +794,8 @@
/* now, read the coordinates */
while ( cur < limit )
{- FT_Short dummy;
+ FT_Short dummy;
+ FT_Byte* old_cur;
/* skip whitespace in front of data */
@@ -812,12 +812,21 @@
break;
}
+ old_cur = cur;
+
/* call PS_Conv_ToFixed() even if coords == NULL */
/* to properly parse number at `cur' */
*( coords != NULL ? &coords[count] : &dummy ) =
(FT_Short)( PS_Conv_ToFixed( &cur, limit, 0 ) >> 16 );
- count++;
+ if ( old_cur == cur )
+ {+ count = -1;
+ goto Exit;
+ }
+ else
+ count++;
+
if ( !ender )
break;
}
@@ -830,7 +839,7 @@
/* first character must be a delimiter or a part of a number */
/* NB: `values' can be NULL if we just want to skip the */
- /* array in this case we ignore `max_values' */
+ /* array; in this case we ignore `max_values' */
static FT_Int
ps_tofixedarray( FT_Byte* *acur,
@@ -854,8 +863,7 @@
if ( c == '[' )
ender = ']';
-
- if ( c == '{' )+ else if ( c == '{' )ender = '}';
if ( ender )
@@ -864,7 +872,8 @@
/* now, read the values */
while ( cur < limit )
{- FT_Fixed dummy;
+ FT_Fixed dummy;
+ FT_Byte* old_cur;
/* skip whitespace in front of data */
@@ -881,12 +890,21 @@
break;
}
+ old_cur = cur;
+
/* call PS_Conv_ToFixed() even if coords == NULL */
/* to properly parse number at `cur' */
*( values != NULL ? &values[count] : &dummy ) =
PS_Conv_ToFixed( &cur, limit, power_ten );
- count++;
+ if ( old_cur == cur )
+ {+ count = -1;
+ goto Exit;
+ }
+ else
+ count++;
+
if ( !ender )
break;
}
@@ -1161,9 +1179,18 @@
{FT_Fixed temp[4];
FT_BBox* bbox = (FT_BBox*)q;
+ FT_Int result;
- (void)ps_tofixedarray( &token.start, token.limit, 4, temp, 0 );
+ result = ps_tofixedarray( &token.start, token.limit, 4, temp, 0 );
+
+ if ( result < 0 )
+ {+ FT_ERROR(( "ps_parser_load_field: "
+ "expected four integers in bounding box\n" ));
+ error = PSaux_Err_Invalid_File_Format;
+ goto Exit;
+ }
bbox->xMin = FT_RoundFix( temp[0] );
bbox->yMin = FT_RoundFix( temp[1] );
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1066,9 +1066,16 @@
FT_Face root = (FT_Face)&face->root;
FT_Fixed temp[6];
FT_Fixed temp_scale;
+ FT_Int result;
- (void)T1_ToFixedArray( parser, 6, temp, 3 );
+ result = T1_ToFixedArray( parser, 6, temp, 3 );
+
+ if ( result < 0 )
+ {+ parser->root.error = T1_Err_Invalid_File_Format;
+ return;
+ }
temp_scale = FT_ABS( temp[3] );