diff options
author | David 'Digit' Turner <digit@google.com> | 2011-01-26 13:53:40 +0100 |
---|---|---|
committer | David 'Digit' Turner <digit@google.com> | 2011-01-26 13:53:40 +0100 |
commit | 7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4 (patch) | |
tree | f9ed9e041d6830735eae3d4af62e9a602851faea /src/sfnt | |
parent | cb487e4c5295d0d9bb96ddd3a27372ffad41ae5b (diff) | |
download | android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.tar.gz android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.tar.bz2 android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.zip |
Upgrade to upstream 2.4.4
This is necessary to fix several security issues. See b/3344697
Change-Id: Ica5c6387fbd791008199f7994ed03978ed700a69
Diffstat (limited to 'src/sfnt')
-rw-r--r-- | src/sfnt/sfobjs.c | 4 | ||||
-rw-r--r-- | src/sfnt/ttload.c | 13 | ||||
-rw-r--r-- | src/sfnt/ttpost.c | 60 |
3 files changed, 61 insertions, 16 deletions
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c index 6e35e2d..5a1d003 100644 --- a/src/sfnt/sfobjs.c +++ b/src/sfnt/sfobjs.c @@ -691,9 +691,7 @@ LOAD_( os2 ); if ( error ) { - if ( error != SFNT_Err_Table_Missing ) - goto Exit; - + /* we treat the table as missing if there are any errors */ face->os2.version = 0xFFFFU; } } diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index 1c174af..20bac73 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -384,6 +384,10 @@ entry = face->dir_tables; + FT_TRACE2(( "\n" + " tag offset length checksum\n" + " ----------------------------------\n" )); + for ( nn = 0; nn < sfnt.num_tables; nn++ ) { entry->Tag = FT_GET_TAG4(); @@ -396,13 +400,14 @@ continue; else { - FT_TRACE2(( " %c%c%c%c - %08lx - %08lx\n", + FT_TRACE2(( " %c%c%c%c %08lx %08lx %08lx\n", (FT_Char)( entry->Tag >> 24 ), (FT_Char)( entry->Tag >> 16 ), (FT_Char)( entry->Tag >> 8 ), (FT_Char)( entry->Tag ), entry->Offset, - entry->Length )); + entry->Length, + entry->CheckSum )); entry++; } } @@ -680,9 +685,9 @@ /* broken fonts like `Keystrokes MT' :-( */ /* */ /* We allocate 64 function entries by default when */ - /* the maxFunctionDefs field is null. */ + /* the maxFunctionDefs value is smaller. */ - if ( maxProfile->maxFunctionDefs == 0 ) + if ( maxProfile->maxFunctionDefs < 64 ) maxProfile->maxFunctionDefs = 64; /* we add 4 phantom points later */ diff --git a/src/sfnt/ttpost.c b/src/sfnt/ttpost.c index aa0bf1e..6f4bb1d 100644 --- a/src/sfnt/ttpost.c +++ b/src/sfnt/ttpost.c @@ -5,7 +5,7 @@ /* Postcript name table processing for TrueType and OpenType fonts */ /* (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009 by */ +/* Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -26,6 +26,7 @@ #include <ft2build.h> +#include FT_INTERNAL_DEBUG_H #include FT_INTERNAL_STREAM_H #include FT_TRUETYPE_TAGS_H #include "ttpost.h" @@ -153,7 +154,8 @@ static FT_Error load_format_20( TT_Face face, - FT_Stream stream ) + FT_Stream stream, + FT_Long post_limit ) { FT_Memory memory = stream->memory; FT_Error error; @@ -230,13 +232,46 @@ FT_UInt len; - if ( FT_READ_BYTE ( len ) || - FT_NEW_ARRAY( name_strings[n], len + 1 ) || - FT_STREAM_READ ( name_strings[n], len ) ) + if ( FT_STREAM_POS() >= post_limit ) + break; + else + { + FT_TRACE6(( "load_format_20: %d byte left in post table\n", + post_limit - FT_STREAM_POS() )); + + if ( FT_READ_BYTE( len ) ) + goto Fail1; + } + + if ( (FT_Int)len > post_limit || + FT_STREAM_POS() > post_limit - (FT_Int)len ) + { + FT_ERROR(( "load_format_20:" + " exceeding string length (%d)," + " truncating at end of post table (%d byte left)\n", + len, post_limit - FT_STREAM_POS() )); + len = FT_MAX( 0, post_limit - FT_STREAM_POS() ); + } + + if ( FT_NEW_ARRAY( name_strings[n], len + 1 ) || + FT_STREAM_READ( name_strings[n], len ) ) goto Fail1; name_strings[n][len] = '\0'; } + + if ( n < num_names ) + { + FT_ERROR(( "load_format_20:" + " all entries in post table are already parsed," + " using NULL names for gid %d - %d\n", + n, num_names - 1 )); + for ( ; n < num_names; n++ ) + if ( FT_NEW_ARRAY( name_strings[n], 1 ) ) + goto Fail1; + else + name_strings[n][0] = '\0'; + } } /* all right, set table fields and exit successfully */ @@ -271,7 +306,8 @@ static FT_Error load_format_25( TT_Face face, - FT_Stream stream ) + FT_Stream stream, + FT_Long post_limit ) { FT_Memory memory = stream->memory; FT_Error error; @@ -279,6 +315,8 @@ FT_Int num_glyphs; FT_Char* offset_table = 0; + FT_UNUSED( post_limit ); + /* UNDOCUMENTED! This value appears only in the Apple TT specs. */ if ( FT_READ_USHORT( num_glyphs ) ) @@ -338,16 +376,20 @@ FT_Stream stream; FT_Error error; FT_Fixed format; + FT_ULong post_len; + FT_Long post_limit; /* get a stream for the face's resource */ stream = face->root.stream; /* seek to the beginning of the PS names table */ - error = face->goto_table( face, TTAG_post, stream, 0 ); + error = face->goto_table( face, TTAG_post, stream, &post_len ); if ( error ) goto Exit; + post_limit = FT_STREAM_POS() + post_len; + format = face->postscript.FormatType; /* go to beginning of subtable */ @@ -356,9 +398,9 @@ /* now read postscript table */ if ( format == 0x00020000L ) - error = load_format_20( face, stream ); + error = load_format_20( face, stream, post_limit ); else if ( format == 0x00028000L ) - error = load_format_25( face, stream ); + error = load_format_25( face, stream, post_limit ); else error = SFNT_Err_Invalid_File_Format; |