diff options
author | Jungshik Shin <jungshik@google.com> | 2016-09-18 03:50:36 -0700 |
---|---|---|
committer | Sean McCreary <mccreary@mcwest.org> | 2017-04-07 16:53:42 -0600 |
commit | 3ff870b9dbbd88173df82269d3c1cffb1eba2eda (patch) | |
tree | 0e443679e800bb442b2cbb2f7ae086b787ca65ff /src/base/ftobjs.c | |
parent | f720f0dbcf012d6c984dbbefa0875ef9840458c6 (diff) | |
download | android_external_freetype-replicant-6.0-0001.tar.gz android_external_freetype-replicant-6.0-0001.tar.bz2 android_external_freetype-replicant-6.0-0001.zip |
Update FreeType from 2.6.2 to c38be52bf8de (2.7 + a few post-2.7 CLs)HEADreplicant-6.0-0002replicant-6.0-0001cm-13.0
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c38be52b
Keep all the configuration options as before.
Likewise, exclude unused files (Jamfiles, various mk files, builds/,
docs/, ChangeLog*, directories under src/ for disabled modules, etc).
Update README.android to record the configurations.
Besides, disable a new option (TT_CONFIG_OPTION_SUBPIXEL_HINTING) for
branches. Note that a bulk of changes in this CL come from the code to
implement this option.
BUG: 31470908
AOSP-Change-Id: I1ca90aec171d9580415b8531e2b767e9dd31164c
CVE-2016-10244
Change-Id: I4485d2ea543c52f8145ab23372cf3e5c7345879b
(cherry picked from commit 055aee28cedc3631434b2636fc6093c0d4d818ab)
Diffstat (limited to 'src/base/ftobjs.c')
-rw-r--r-- | src/base/ftobjs.c | 91 |
1 files changed, 77 insertions, 14 deletions
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 96572bd..9006b59 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -4,7 +4,7 @@ /* */ /* The FreeType private base classes (body). */ /* */ -/* Copyright 1996-2015 by */ +/* Copyright 1996-2016 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -688,7 +688,6 @@ /* both `fpgm' and `prep' tables are missing */ if ( ( mode == FT_RENDER_MODE_LIGHT && !FT_DRIVER_HINTS_LIGHTLY( driver ) ) || - face->internal->ignore_unpatented_hinter || ( FT_IS_SFNT( face ) && ttface->num_locations && ttface->max_profile.maxSizeOfInstructions == 0 && @@ -1419,7 +1418,7 @@ /* Type 1 and CID-keyed font drivers should recognize sfnt-wrapped */ /* format too. Here, since we can't expect that the TrueType font */ - /* driver is loaded unconditially, we must parse the font by */ + /* driver is loaded unconditionally, we must parse the font by */ /* ourselves. We are only interested in the name of the table and */ /* the offset. */ @@ -1484,6 +1483,7 @@ if ( face_index >= 0 && pstable_index == face_index ) return FT_Err_Ok; } + return FT_THROW( Table_Missing ); } @@ -1521,6 +1521,19 @@ if ( error ) goto Exit; + if ( offset > stream->size ) + { + FT_TRACE2(( "open_face_PS_from_sfnt_stream: invalid table offset\n" )); + error = FT_THROW( Invalid_Table ); + goto Exit; + } + else if ( length > stream->size - offset ) + { + FT_TRACE2(( "open_face_PS_from_sfnt_stream: invalid table length\n" )); + error = FT_THROW( Invalid_Table ); + goto Exit; + } + error = FT_Stream_Seek( stream, pos + offset ); if ( error ) goto Exit; @@ -1529,7 +1542,8 @@ goto Exit; error = FT_Stream_Read( stream, (FT_Byte *)sfnt_ps, length ); - if ( error ) { + if ( error ) + { FT_FREE( sfnt_ps ); goto Exit; } @@ -1777,8 +1791,8 @@ FT_Long face_index_in_resource = 0; - if ( face_index == -1 ) - face_index = 0; + if ( face_index < 0 ) + face_index = -face_index - 1; if ( face_index >= resource_cnt ) return FT_THROW( Cannot_Open_Resource ); @@ -2300,11 +2314,24 @@ if ( bsize->height < 0 ) - bsize->height = (FT_Short)-bsize->height; + bsize->height = -bsize->height; if ( bsize->x_ppem < 0 ) - bsize->x_ppem = (FT_Short)-bsize->x_ppem; + bsize->x_ppem = -bsize->x_ppem; if ( bsize->y_ppem < 0 ) bsize->y_ppem = -bsize->y_ppem; + + /* check whether negation actually has worked */ + if ( bsize->height < 0 || bsize->x_ppem < 0 || bsize->y_ppem < 0 ) + { + FT_TRACE0(( "FT_Open_Face:" + " Invalid bitmap dimensions for stroke %d," + " now disabled\n", i )); + bsize->width = 0; + bsize->height = 0; + bsize->size = 0; + bsize->x_ppem = 0; + bsize->y_ppem = 0; + } } } @@ -2604,6 +2631,9 @@ w = FT_PIX_ROUND( w ); h = FT_PIX_ROUND( h ); + if ( !w || !h ) + return FT_THROW( Invalid_Pixel_Size ); + for ( i = 0; i < face->num_fixed_sizes; i++ ) { FT_Bitmap_Size* bsize = face->available_sizes + i; @@ -2623,6 +2653,8 @@ } } + FT_TRACE3(( "FT_Match_Size: no matching bitmap strike\n" )); + return FT_THROW( Invalid_Pixel_Size ); } @@ -4202,7 +4234,8 @@ MD5_Init( &ctx ); - MD5_Update( &ctx, bitmap.buffer, rows * pitch ); + if ( bitmap.buffer ) + MD5_Update( &ctx, bitmap.buffer, rows * pitch ); MD5_Final( md5, &ctx ); FT_TRACE3(( "MD5 checksum for %dx%d bitmap:\n" @@ -4308,7 +4341,7 @@ { FT_Error error; FT_Memory memory; - FT_Module module; + FT_Module module = NULL; FT_UInt nn; @@ -4549,7 +4582,8 @@ const FT_String* module_name, const FT_String* property_name, void* value, - FT_Bool set ) + FT_Bool set, + FT_Bool value_is_string ) { FT_Module* cur; FT_Module* limit; @@ -4619,8 +4653,13 @@ return FT_THROW( Unimplemented_Feature ); } - return set ? service->set_property( cur[0], property_name, value ) - : service->get_property( cur[0], property_name, value ); + return set ? service->set_property( cur[0], + property_name, + value, + value_is_string ) + : service->get_property( cur[0], + property_name, + value ); } @@ -4636,7 +4675,8 @@ module_name, property_name, (void*)value, - TRUE ); + TRUE, + FALSE ); } @@ -4652,10 +4692,33 @@ module_name, property_name, value, + FALSE, FALSE ); } +#ifdef FT_CONFIG_OPTION_ENVIRONMENT_PROPERTIES + + /* this variant is used for handling the FREETYPE_PROPERTIES */ + /* environment variable */ + + FT_BASE_DEF( FT_Error ) + ft_property_string_set( FT_Library library, + const FT_String* module_name, + const FT_String* property_name, + FT_String* value ) + { + return ft_property_do( library, + module_name, + property_name, + (void*)value, + TRUE, + TRUE ); + } + +#endif + + /*************************************************************************/ /*************************************************************************/ /*************************************************************************/ |