diff options
author | Nick Kralevich <nnk@google.com> | 2010-09-14 17:02:58 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2010-09-15 10:32:30 -0700 |
commit | aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c (patch) | |
tree | 2b4c5412391bf31f6a54b237ea83bfde05ec3802 /src/truetype/ttgxvar.c | |
parent | d4476115dee94297c020b3a2b067188117424e25 (diff) | |
download | android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.tar.gz android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.tar.bz2 android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.zip |
upgrade freetype to 2.4.2.
Bug: 2969145
Change-Id: I8debbbe0bd478d9cf8c39cff5179981b5f3b371a
Diffstat (limited to 'src/truetype/ttgxvar.c')
-rw-r--r-- | src/truetype/ttgxvar.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index ef25aaf..653d9d5 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -4,7 +4,7 @@ /* */ /* TrueType GX Font Variation loader */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ /* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -210,12 +210,12 @@ ft_var_readpackeddeltas( FT_Stream stream, FT_Offset delta_cnt ) { - FT_Short *deltas; + FT_Short *deltas = NULL; FT_UInt runcnt; FT_Offset i; FT_UInt j; FT_Memory memory = stream->memory; - FT_Error error = TT_Err_Ok; + FT_Error error = TT_Err_Ok; FT_UNUSED( error ); @@ -682,7 +682,11 @@ if ( fvar_head.version != (FT_Long)0x00010000L || fvar_head.countSizePairs != 2 || fvar_head.axisSize != 20 || + /* axisCount limit implied by 16-bit instanceSize */ + fvar_head.axisCount > 0x3FFE || fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount || + /* instanceCount limit implied by limited range of name IDs */ + fvar_head.instanceCount > 0x7EFF || fvar_head.offsetToData + fvar_head.axisCount * 20U + fvar_head.instanceCount * fvar_head.instanceSize > table_len ) { @@ -693,7 +697,7 @@ if ( FT_NEW( face->blend ) ) goto Exit; - /* XXX: TODO - check for overflows */ + /* cannot overflow 32-bit arithmetic because of limits above */ face->blend->mmvar_len = sizeof ( FT_MM_Var ) + fvar_head.axisCount * sizeof ( FT_Var_Axis ) + |