diff options
| author | David 'Digit' Turner <digit@google.com> | 2011-01-26 13:53:40 +0100 |
|---|---|---|
| committer | David 'Digit' Turner <digit@google.com> | 2011-01-26 13:53:40 +0100 |
| commit | 7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4 (patch) | |
| tree | f9ed9e041d6830735eae3d4af62e9a602851faea /src/truetype/ttinterp.c | |
| parent | cb487e4c5295d0d9bb96ddd3a27372ffad41ae5b (diff) | |
| download | android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.tar.gz android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.tar.bz2 android_external_freetype-7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4.zip | |
Upgrade to upstream 2.4.4
This is necessary to fix several security issues. See b/3344697
Change-Id: Ica5c6387fbd791008199f7994ed03978ed700a69
Diffstat (limited to 'src/truetype/ttinterp.c')
| -rw-r--r-- | src/truetype/ttinterp.c | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index d22e94f..f55b8ee 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -478,8 +478,7 @@ return TT_Err_Ok; Fail_Memory: - FT_ERROR(( "Init_Context: not enough memory for 0x%08lx\n", - (FT_Long)exec )); + FT_ERROR(( "Init_Context: not enough memory for %p\n", exec )); TT_Done_Context( exec ); return error; @@ -596,6 +595,12 @@ exec->storage = size->storage; exec->twilight = size->twilight; + + /* In case of multi-threading it can happen that the old size object */ + /* no longer exists, thus we must clear all glyph zone references. */ + ft_memset( &exec->zp0, 0, sizeof ( exec->zp0 ) ); + exec->zp1 = exec->zp0; + exec->zp2 = exec->zp0; } /* XXX: We reserve a little more elements on the stack to deal safely */ @@ -5795,7 +5800,16 @@ if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) + { last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); + + if ( BOUNDS( last_point, CUR.zp2.n_points ) ) + { + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + return; + } + } else last_point = 0; @@ -6773,12 +6787,11 @@ { if ( ( CUR.pts.tags[point] & mask ) != 0 ) { - if ( point > 0 ) - _iup_worker_interpolate( &V, - cur_touched + 1, - point - 1, - cur_touched, - point ); + _iup_worker_interpolate( &V, + cur_touched + 1, + point - 1, + cur_touched, + point ); cur_touched = point; } @@ -8128,6 +8141,15 @@ *exc = cur; #endif + /* If any errors have occurred, function tables may be broken. */ + /* Force a re-execution of `prep' and `fpgm' tables if no */ + /* bytecode debugger is run. */ + if ( CUR.error && !CUR.instruction_trap ) + { + FT_TRACE1(( " The interpreter returned error 0x%x\n", CUR.error )); + exc->size->cvt_ready = FALSE; + } + return CUR.error; } |