diff options
| author | David 'Digit' Turner <digit@google.com> | 2011-01-26 13:53:40 +0100 |
|---|---|---|
| committer | David 'Digit' Turner <digit@google.com> | 2011-01-26 13:53:40 +0100 |
| commit | 7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4 (patch) | |
| tree | f9ed9e041d6830735eae3d4af62e9a602851faea /src/cff | |
| parent | cb487e4c5295d0d9bb96ddd3a27372ffad41ae5b (diff) | |
| download | android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.tar.gz android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.tar.bz2 android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.zip | |
Upgrade to upstream 2.4.4
This is necessary to fix several security issues. See b/3344697
Change-Id: Ica5c6387fbd791008199f7994ed03978ed700a69
Diffstat (limited to 'src/cff')
| -rw-r--r-- | src/cff/cffload.c | 54 | ||||
| -rw-r--r-- | src/cff/cffobjs.c | 2 |
2 files changed, 23 insertions, 33 deletions
diff --git a/src/cff/cffload.c b/src/cff/cffload.c index 42e7730..000cbe3 100644 --- a/src/cff/cffload.c +++ b/src/cff/cffload.c @@ -519,6 +519,18 @@ } } + /* XXX: should check off2 does not exceed the end of this entry; */ + /* at present, only truncate off2 at the end of this stream */ + if ( off2 > stream->size + 1 || + idx->data_offset > stream->size - off2 + 1 ) + { + FT_ERROR(( "cff_index_access_element:" + " offset to next entry (%d)" + " exceeds the end of stream (%d)\n", + off2, stream->size - idx->data_offset + 1 )); + off2 = stream->size - idx->data_offset + 1; + } + /* access element */ if ( off1 && off2 > off1 ) { @@ -779,11 +791,12 @@ goto Exit; for ( i = 0; i < num_glyphs; i++ ) + { if ( charset->sids[i] > max_cid ) max_cid = charset->sids[i]; - max_cid++; + } - if ( FT_NEW_ARRAY( charset->cids, max_cid ) ) + if ( FT_NEW_ARRAY( charset->cids, (FT_ULong)max_cid + 1 ) ) goto Exit; /* When multiple GIDs map to the same CID, we choose the lowest */ @@ -807,7 +820,7 @@ FT_UInt result = 0; - if ( cid < charset->max_cid ) + if ( cid <= charset->max_cid ) result = charset->cids[cid]; return result; @@ -881,20 +894,7 @@ goto Exit; for ( j = 1; j < num_glyphs; j++ ) - { - FT_UShort sid = FT_GET_USHORT(); - - - /* this constant is given in the CFF specification */ - if ( sid < 65000L ) - charset->sids[j] = sid; - else - { - FT_TRACE0(( "cff_charset_load:" - " invalid SID value %d set to zero\n", sid )); - charset->sids[j] = 0; - } - } + charset->sids[j] = FT_GET_USHORT(); FT_FRAME_EXIT(); } @@ -927,20 +927,12 @@ goto Exit; } - /* check whether the range contains at least one valid glyph; */ - /* the constant is given in the CFF specification */ - if ( glyph_sid >= 65000L ) - { - FT_ERROR(( "cff_charset_load: invalid SID range\n" )); - error = CFF_Err_Invalid_File_Format; - goto Exit; - } - /* try to rescue some of the SIDs if `nleft' is too large */ - if ( nleft > 65000L - 1L || glyph_sid >= 65000L - nleft ) + if ( glyph_sid > 0xFFFFL - nleft ) { - FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); - nleft = ( FT_UInt )( 65000L - 1L - glyph_sid ); + FT_ERROR(( "cff_charset_load: invalid SID range trimmed" + " nleft=%d -> %d\n", nleft, 0xFFFFL - glyph_sid )); + nleft = ( FT_UInt )( 0xFFFFL - glyph_sid ); } /* Fill in the range of sids -- `nleft + 1' glyphs. */ @@ -1277,9 +1269,7 @@ if ( gid != 0 ) { encoding->codes[j] = (FT_UShort)gid; - - if ( encoding->count < j + 1 ) - encoding->count = j + 1; + encoding->count = j + 1; } else { diff --git a/src/cff/cffobjs.c b/src/cff/cffobjs.c index f8b07c3..1cd35c9 100644 --- a/src/cff/cffobjs.c +++ b/src/cff/cffobjs.c @@ -677,7 +677,7 @@ /* compute number of glyphs */ if ( dict->cid_registry != 0xFFFFU ) - cffface->num_glyphs = cff->charset.max_cid; + cffface->num_glyphs = cff->charset.max_cid + 1; else cffface->num_glyphs = cff->charstrings_index.count; |