shithub: freetype+ttf2subf

Download patch

ref: eee4ff8d5aff07a073d6b5721a00eb0eb7715c5e
parent: 08c628d128e6fba3a7a7be610d459b0d7f556f07
author: Werner Lemberg <[email protected]>
date: Wed Feb 26 13:12:36 EST 2014 

[winfnt] Fix Savannah bug #41694.

* src/winfonts/winfnt.c (FNT_Load_Glyph): Check glyph offset.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,16 @@
-2014-02-26  Wermer Lemberg  <[email protected]>
+2014-02-26  Werner Lemberg  <[email protected]>
 
+	[winfnt] Fix Savannah bug #41694.
+
+	* src/winfonts/winfnt.c (FNT_Load_Glyph): Check glyph offset.
+
+2014-02-26  Werner Lemberg  <[email protected]>
+
 	[cff] Fix Savannah bug #41693.
 
 	* src/cff/cffload.c (CFF_Load_FD_Select): Reject empty array.
 
-2014-02-26  Wermer Lemberg  <[email protected]>
+2014-02-26  Werner Lemberg  <[email protected]>
 
 	[bdf] Fix Savannah bug #41692.
 
--- a/src/winfonts/winfnt.c
+++ b/src/winfonts/winfnt.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    FreeType font driver for Windows FNT/FON files                       */
 /*                                                                         */
-/*  Copyright 1996-2004, 2006-2013 by                                      */
+/*  Copyright 1996-2004, 2006-2014 by                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*  Copyright 2003 Huw D M Davies for Codeweavers                          */
 /*  Copyright 2007 Dmitry Timoshkov for Codeweavers                        */
@@ -977,7 +977,7 @@
 
     font = face->font;
 
-    if ( !font ||
+    if ( !font                                                   ||
          glyph_index >= (FT_UInt)( FT_FACE( face )->num_glyphs ) )
     {
       error = FT_THROW( Invalid_Argument );
@@ -989,16 +989,26 @@
     if ( glyph_index > 0 )
       glyph_index--;                           /* revert to real index */
     else
-      glyph_index = font->header.default_char; /* the .notdef glyph */
+      glyph_index = font->header.default_char; /* the `.notdef' glyph  */
 
     new_format = FT_BOOL( font->header.version == 0x300 );
     len        = new_format ? 6 : 4;
 
-    /* jump to glyph entry */
-    p = font->fnt_frame + ( new_format ? 148 : 118 ) + len * glyph_index;
+    /* get glyph width and offset */
+    offset = ( new_format ? 148 : 118 ) + len * glyph_index;
 
+    if ( offset >= font->header.file_size - 2 - ( new_format ? 4 : 2 ) )
+    {
+      FT_TRACE2(( "invalid FNT offset\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
+    p = font->fnt_frame + offset;
+
     bitmap->width = FT_NEXT_SHORT_LE( p );
 
+    /* jump to glyph entry */
     if ( new_format )
       offset = FT_NEXT_ULONG_LE( p );
     else