3
From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001
4
From: Werner Lemberg <wl@gnu.org>
5
Date: Sat, 22 Nov 2014 09:46:47 +0000
6
Subject: [type42] Fix Savannah bug #43659.
8
* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
10
* src/type42/t42parse.c (t42_parse_sfnts): Always set
11
`face->ttf_size' directly. This ensures a correct stream size in
12
the call to `FT_Open_Face', which follows after parsing, even for
16
Index: freetype-2.4.8/src/type42/t42objs.c
17
===================================================================
18
--- freetype-2.4.8.orig/src/type42/t42objs.c 2015-02-24 09:57:33.071500298 -0500
19
+++ freetype-2.4.8/src/type42/t42objs.c 2015-02-24 09:57:33.067500267 -0500
21
if ( FT_ALLOC( face->ttf_data, 12 ) )
24
+ /* while parsing the font we always update `face->ttf_size' so that */
25
+ /* even in case of buggy data (which might lead to premature end of */
26
+ /* scanning without causing an error) the call to `FT_Open_Face' in */
27
+ /* `T42_Face_Init' passes the correct size */
28
+ face->ttf_size = 12;
30
error = t42_parser_init( parser,
33
Index: freetype-2.4.8/src/type42/t42parse.c
34
===================================================================
35
--- freetype-2.4.8.orig/src/type42/t42parse.c 2015-02-24 09:57:33.071500298 -0500
36
+++ freetype-2.4.8/src/type42/t42parse.c 2015-02-24 10:00:32.536900770 -0500
38
FT_Byte* limit = parser->root.limit;
40
FT_Int num_tables = 0;
41
- FT_ULong count, ttf_size = 0;
44
FT_Long n, string_size, old_string_size, real_size;
45
FT_Byte* string_buf = NULL;
48
if ( limit - parser->root.cursor < string_size )
50
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
51
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
52
error = T42_Err_Invalid_File_Format;
59
- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
60
- status = BEFORE_TABLE_DIR;
61
- ttf_size = 12 + 16 * num_tables;
62
+ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
63
+ status = BEFORE_TABLE_DIR;
64
+ face->ttf_size = 12 + 16 * num_tables;
66
- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
67
+ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
72
case BEFORE_TABLE_DIR:
73
/* the offset table is read; read the table directory */
74
- if ( count < ttf_size )
75
+ if ( count < face->ttf_size )
77
face->ttf_data[count++] = string_buf[n];
80
len = FT_PEEK_ULONG( p );
82
/* Pad to a 4-byte boundary length */
83
- ttf_size += ( len + 3 ) & ~3;
84
+ face->ttf_size += ( len + 3 ) & ~3;
87
- status = OTHER_TABLES;
88
- face->ttf_size = ttf_size;
89
+ status = OTHER_TABLES;
91
/* there are no more than 256 tables, so no size check here */
92
if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
94
+ face->ttf_size + 1 ) )
100
/* all other tables are just copied */
101
- if ( count >= ttf_size )
102
+ if ( count >= face->ttf_size )
104
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
105
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
106
error = T42_Err_Invalid_File_Format;