upgrade freetype to 2.4.2.

Bug: 2969145 Change-Id: I8debbbe0bd478d9cf8c39cff5179981b5f3b371a
author: Nick Kralevich <nnk@google.com> 2010-09-14 17:02:58 -0700
committer: Nick Kralevich <nnk@google.com> 2010-09-15 10:32:30 -0700
commit: aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c (patch)
tree: 2b4c5412391bf31f6a54b237ea83bfde05ec3802 /src/truetype/ttgxvar.c
parent: d4476115dee94297c020b3a2b067188117424e25 (diff)
download: android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.tar.gz
android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.tar.bz2
android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.zip
1 files changed, 8 insertions, 4 deletions
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ef25aaf..653d9d5 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    TrueType GX Font Variation loader                                    */
 /*                                                                         */
-/*  Copyright 2004, 2005, 2006, 2007, 2008, 2009 by                        */
+/*  Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by                  */
 /*  David Turner, Robert Wilhelm, Werner Lemberg, and George Williams.     */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -210,12 +210,12 @@
   ft_var_readpackeddeltas( FT_Stream  stream,
                            FT_Offset  delta_cnt )
   {
-    FT_Short  *deltas;
+    FT_Short  *deltas = NULL;
     FT_UInt    runcnt;
     FT_Offset  i;
     FT_UInt    j;
     FT_Memory  memory = stream->memory;
-    FT_Error   error = TT_Err_Ok;
+    FT_Error   error  = TT_Err_Ok;
 
     FT_UNUSED( error );
 
@@ -682,7 +682,11 @@
       if ( fvar_head.version != (FT_Long)0x00010000L                      ||
            fvar_head.countSizePairs != 2                                  ||
            fvar_head.axisSize != 20                                       ||
+           /* axisCount limit implied by 16-bit instanceSize */
+           fvar_head.axisCount > 0x3FFE                                   ||
            fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount          ||
+           /* instanceCount limit implied by limited range of name IDs */
+           fvar_head.instanceCount > 0x7EFF                               ||
            fvar_head.offsetToData + fvar_head.axisCount * 20U +
              fvar_head.instanceCount * fvar_head.instanceSize > table_len )
       {
@@ -693,7 +697,7 @@
       if ( FT_NEW( face->blend ) )
         goto Exit;
 
-      /* XXX: TODO - check for overflows */
+      /* cannot overflow 32-bit arithmetic because of limits above */
       face->blend->mmvar_len =
         sizeof ( FT_MM_Var ) +
         fvar_head.axisCount * sizeof ( FT_Var_Axis ) +
author	Nick Kralevich <nnk@google.com>	2010-09-14 17:02:58 -0700
committer	Nick Kralevich <nnk@google.com>	2010-09-15 10:32:30 -0700
commit	aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c (patch)
tree	2b4c5412391bf31f6a54b237ea83bfde05ec3802 /src/truetype/ttgxvar.c
parent	d4476115dee94297c020b3a2b067188117424e25 (diff)
download	android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.tar.gz android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.tar.bz2 android_external_freetype-aacb8e1368a883fcbc9fe64fd0e460cef9c9b20c.zip