summaryrefslogtreecommitdiffstats
path: root/src/sfnt
diff options
context:
space:
mode:
Diffstat (limited to 'src/sfnt')
-rw-r--r--src/sfnt/pngshim.c53
-rw-r--r--src/sfnt/pngshim.h3
-rw-r--r--src/sfnt/sfdriver.c32
-rw-r--r--src/sfnt/sfdriver.h2
-rw-r--r--src/sfnt/sferrors.h2
-rw-r--r--src/sfnt/sfnt.c2
-rw-r--r--src/sfnt/sfntpic.c2
-rw-r--r--src/sfnt/sfntpic.h2
-rw-r--r--src/sfnt/sfobjs.c40
-rw-r--r--src/sfnt/sfobjs.h2
-rw-r--r--src/sfnt/ttbdf.c2
-rw-r--r--src/sfnt/ttbdf.h2
-rw-r--r--src/sfnt/ttcmap.c79
-rw-r--r--src/sfnt/ttcmap.h2
-rw-r--r--src/sfnt/ttcmapc.h2
-rw-r--r--src/sfnt/ttkern.c8
-rw-r--r--src/sfnt/ttkern.h2
-rw-r--r--src/sfnt/ttload.c55
-rw-r--r--src/sfnt/ttload.h2
-rw-r--r--src/sfnt/ttmtx.c6
-rw-r--r--src/sfnt/ttmtx.h4
-rw-r--r--src/sfnt/ttpost.c34
-rw-r--r--src/sfnt/ttpost.h2
-rw-r--r--src/sfnt/ttsbit.c98
-rw-r--r--src/sfnt/ttsbit.h2
25 files changed, 268 insertions, 172 deletions
diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
index 9afbe5a..ea60452 100644
--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
@@ -4,7 +4,8 @@
/* */
/* PNG Bitmap glyph support. */
/* */
-/* Copyright 2013, 2014 by Google, Inc. */
+/* Copyright 2013-2015 by */
+/* Google, Inc. */
/* Written by Stuart Gill and Behdad Esfahbod. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -36,11 +37,11 @@
/* This code is freely based on cairo-png.c. There's so many ways */
/* to call libpng, and the way cairo does it is defacto standard. */
- static int
- multiply_alpha( int alpha,
- int color )
+ static unsigned int
+ multiply_alpha( unsigned int alpha,
+ unsigned int color )
{
- int temp = ( alpha * color ) + 0x80;
+ unsigned int temp = alpha * color + 0x80;
return ( temp + ( temp >> 8 ) ) >> 8;
@@ -81,10 +82,10 @@
blue = multiply_alpha( alpha, blue );
}
- base[0] = blue;
- base[1] = green;
- base[2] = red;
- base[3] = alpha;
+ base[0] = (unsigned char)blue;
+ base[1] = (unsigned char)green;
+ base[2] = (unsigned char)red;
+ base[3] = (unsigned char)alpha;
}
}
}
@@ -109,9 +110,9 @@
unsigned int blue = base[2];
- base[0] = blue;
- base[1] = green;
- base[2] = red;
+ base[0] = (unsigned char)blue;
+ base[1] = (unsigned char)green;
+ base[2] = (unsigned char)red;
base[3] = 0xFF;
}
}
@@ -205,11 +206,11 @@
goto Exit;
}
- if ( !populate_map_and_metrics &&
- ( x_offset + metrics->width > map->width ||
- y_offset + metrics->height > map->rows ||
- pix_bits != 32 ||
- map->pixel_mode != FT_PIXEL_MODE_BGRA ) )
+ if ( !populate_map_and_metrics &&
+ ( (FT_UInt)x_offset + metrics->width > map->width ||
+ (FT_UInt)y_offset + metrics->height > map->rows ||
+ pix_bits != 32 ||
+ map->pixel_mode != FT_PIXEL_MODE_BGRA ) )
{
error = FT_THROW( Invalid_Argument );
goto Exit;
@@ -257,19 +258,27 @@
if ( populate_map_and_metrics )
{
- FT_Long size;
+ FT_ULong size;
- metrics->width = (FT_Int)imgWidth;
- metrics->height = (FT_Int)imgHeight;
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
map->width = metrics->width;
map->rows = metrics->height;
map->pixel_mode = FT_PIXEL_MODE_BGRA;
- map->pitch = map->width * 4;
+ map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
- size = map->rows * map->pitch;
+ /* reject too large bitmaps similarly to the rasterizer */
+ if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto DestroyExit;
+ }
+
+ /* this doesn't overflow: 0x7FFF * 0x7FFF * 4 < 2^32 */
+ size = map->rows * (FT_ULong)map->pitch;
error = ft_glyphslot_alloc_bitmap( slot, size );
if ( error )
diff --git a/src/sfnt/pngshim.h b/src/sfnt/pngshim.h
index dc9ecaf..4cc5c2b 100644
--- a/src/sfnt/pngshim.h
+++ b/src/sfnt/pngshim.h
@@ -4,7 +4,8 @@
/* */
/* PNG Bitmap glyph support. */
/* */
-/* Copyright 2013 by Google, Inc. */
+/* Copyright 2013-2015 by */
+/* Google, Inc. */
/* Written by Stuart Gill and Behdad Esfahbod. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/sfdriver.c b/src/sfnt/sfdriver.c
index e4fcda5..0948ad4 100644
--- a/src/sfnt/sfdriver.c
+++ b/src/sfnt/sfdriver.c
@@ -4,7 +4,7 @@
/* */
/* High-level SFNT driver interface (body). */
/* */
-/* Copyright 1996-2007, 2009-2014 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -75,36 +75,36 @@
switch ( tag )
{
- case ft_sfnt_head:
+ case FT_SFNT_HEAD:
table = &face->header;
break;
- case ft_sfnt_hhea:
+ case FT_SFNT_HHEA:
table = &face->horizontal;
break;
- case ft_sfnt_vhea:
- table = face->vertical_info ? &face->vertical : 0;
+ case FT_SFNT_VHEA:
+ table = face->vertical_info ? &face->vertical : NULL;
break;
- case ft_sfnt_os2:
- table = face->os2.version == 0xFFFFU ? 0 : &face->os2;
+ case FT_SFNT_OS2:
+ table = face->os2.version == 0xFFFFU ? NULL : &face->os2;
break;
- case ft_sfnt_post:
+ case FT_SFNT_POST:
table = &face->postscript;
break;
- case ft_sfnt_maxp:
+ case FT_SFNT_MAXP:
table = &face->max_profile;
break;
- case ft_sfnt_pclt:
- table = face->pclt.Version ? &face->pclt : 0;
+ case FT_SFNT_PCLT:
+ table = face->pclt.Version ? &face->pclt : NULL;
break;
default:
- table = 0;
+ table = NULL;
}
return table;
@@ -266,7 +266,7 @@
{
FT_Stream stream = face->name_table.stream;
FT_String* r = (FT_String*)result;
- FT_Byte* p;
+ FT_Char* p;
if ( FT_STREAM_SEEK( name->stringOffset ) ||
@@ -280,11 +280,11 @@
goto Exit;
}
- p = (FT_Byte*)stream->cursor;
+ p = (FT_Char*)stream->cursor;
for ( ; len > 0; len--, p += 2 )
{
- if ( p[0] == 0 && p[1] >= 32 && p[1] < 128 )
+ if ( p[0] == 0 && p[1] >= 32 )
*r++ = p[1];
}
*r = '\0';
@@ -427,7 +427,7 @@
sfnt_get_interface( FT_Module module,
const char* module_interface )
{
- /* SFNT_SERVICES_GET derefers `library' in PIC mode */
+ /* SFNT_SERVICES_GET dereferences `library' in PIC mode */
#ifdef FT_CONFIG_OPTION_PIC
FT_Library library;
diff --git a/src/sfnt/sfdriver.h b/src/sfnt/sfdriver.h
index 5de25d5..944119c 100644
--- a/src/sfnt/sfdriver.h
+++ b/src/sfnt/sfdriver.h
@@ -4,7 +4,7 @@
/* */
/* High-level SFNT driver interface (specification). */
/* */
-/* Copyright 1996-2001 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/sferrors.h b/src/sfnt/sferrors.h
index e981e1d..e3bef3f 100644
--- a/src/sfnt/sferrors.h
+++ b/src/sfnt/sferrors.h
@@ -4,7 +4,7 @@
/* */
/* SFNT error codes (specification only). */
/* */
-/* Copyright 2001, 2004, 2012, 2013 by */
+/* Copyright 2001-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/sfnt.c b/src/sfnt/sfnt.c
index d62ed4e..0b8b5f4 100644
--- a/src/sfnt/sfnt.c
+++ b/src/sfnt/sfnt.c
@@ -4,7 +4,7 @@
/* */
/* Single object library component. */
/* */
-/* Copyright 1996-2006, 2013 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/sfntpic.c b/src/sfnt/sfntpic.c
index b3fb24b..2aaf4bc 100644
--- a/src/sfnt/sfntpic.c
+++ b/src/sfnt/sfntpic.c
@@ -4,7 +4,7 @@
/* */
/* The FreeType position independent code services for sfnt module. */
/* */
-/* Copyright 2009, 2010, 2012, 2013 by */
+/* Copyright 2009-2015 by */
/* Oran Agra and Mickey Gabel. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/sfntpic.h b/src/sfnt/sfntpic.h
index b09a914..563d634 100644
--- a/src/sfnt/sfntpic.h
+++ b/src/sfnt/sfntpic.h
@@ -4,7 +4,7 @@
/* */
/* The FreeType position independent code services for sfnt module. */
/* */
-/* Copyright 2009, 2012 by */
+/* Copyright 2009-2015 by */
/* Oran Agra and Mickey Gabel. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index 44aa467..40c27fa 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -4,7 +4,7 @@
/* */
/* SFNT object management (base). */
/* */
-/* Copyright 1996-2008, 2010-2014 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -376,8 +376,8 @@
FT_FREE( stream->base );
stream->size = 0;
- stream->base = 0;
- stream->close = 0;
+ stream->base = NULL;
+ stream->close = NULL;
}
@@ -567,8 +567,10 @@
if ( table->Offset != woff_offset ||
- table->Offset + table->CompLength > woff.length ||
- sfnt_offset + table->OrigLength > woff.totalSfntSize ||
+ table->CompLength > woff.length ||
+ table->Offset > woff.length - table->CompLength ||
+ table->OrigLength > woff.totalSfntSize ||
+ sfnt_offset > woff.totalSfntSize - table->OrigLength ||
table->CompLength > table->OrigLength )
{
error = FT_THROW( Invalid_Table );
@@ -578,8 +580,8 @@
table->OrigOffset = sfnt_offset;
/* The offsets must be multiples of 4. */
- woff_offset += ( table->CompLength + 3 ) & ~3;
- sfnt_offset += ( table->OrigLength + 3 ) & ~3;
+ woff_offset += ( table->CompLength + 3 ) & ~3U;
+ sfnt_offset += ( table->OrigLength + 3 ) & ~3U;
}
/*
@@ -607,7 +609,7 @@
if ( woff.privOffset )
{
/* ... if it isn't the last block. */
- woff_offset = ( woff_offset + 3 ) & ~3;
+ woff_offset = ( woff_offset + 3 ) & ~3U;
if ( woff.privOffset != woff_offset ||
woff.privOffset + woff.privLength > woff.length )
@@ -1016,7 +1018,6 @@
if ( is_apple_sbix )
has_outline = FALSE;
-
/* if this font doesn't contain outlines, we try to load */
/* a `bhed' table */
if ( !has_outline && sfnt->load_bhed )
@@ -1430,8 +1431,8 @@
root->ascender = face->horizontal.Ascender;
root->descender = face->horizontal.Descender;
- root->height = (FT_Short)( root->ascender - root->descender +
- face->horizontal.Line_Gap );
+ root->height = root->ascender - root->descender +
+ face->horizontal.Line_Gap;
if ( !( root->ascender || root->descender ) )
{
@@ -1442,23 +1443,24 @@
root->ascender = face->os2.sTypoAscender;
root->descender = face->os2.sTypoDescender;
- root->height = (FT_Short)( root->ascender - root->descender +
- face->os2.sTypoLineGap );
+ root->height = root->ascender - root->descender +
+ face->os2.sTypoLineGap;
}
else
{
root->ascender = (FT_Short)face->os2.usWinAscent;
root->descender = -(FT_Short)face->os2.usWinDescent;
- root->height = (FT_UShort)( root->ascender - root->descender );
+ root->height = root->ascender - root->descender;
}
}
}
- root->max_advance_width = face->horizontal.advance_Width_Max;
- root->max_advance_height = (FT_Short)( face->vertical_info
- ? face->vertical.advance_Height_Max
- : root->height );
+ root->max_advance_width =
+ (FT_Short)face->horizontal.advance_Width_Max;
+ root->max_advance_height =
+ (FT_Short)( face->vertical_info ? face->vertical.advance_Height_Max
+ : root->height );
/* See http://www.microsoft.com/OpenType/OTSpec/post.htm -- */
/* Adjust underline position from top edge to centre of */
@@ -1568,7 +1570,7 @@
FT_FREE( face->postscript_name );
- face->sfnt = 0;
+ face->sfnt = NULL;
}
diff --git a/src/sfnt/sfobjs.h b/src/sfnt/sfobjs.h
index 6241c93..77c7d92 100644
--- a/src/sfnt/sfobjs.h
+++ b/src/sfnt/sfobjs.h
@@ -4,7 +4,7 @@
/* */
/* SFNT object management (specification). */
/* */
-/* Copyright 1996-2001, 2002 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttbdf.c b/src/sfnt/ttbdf.c
index 9401dae..098b781 100644
--- a/src/sfnt/ttbdf.c
+++ b/src/sfnt/ttbdf.c
@@ -4,7 +4,7 @@
/* */
/* TrueType and OpenType embedded BDF properties (body). */
/* */
-/* Copyright 2005, 2006, 2010, 2013 by */
+/* Copyright 2005-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttbdf.h b/src/sfnt/ttbdf.h
index 48a10d6..fe4ba48 100644
--- a/src/sfnt/ttbdf.h
+++ b/src/sfnt/ttbdf.h
@@ -4,7 +4,7 @@
/* */
/* TrueType and OpenType embedded BDF properties (specification). */
/* */
-/* Copyright 2005 by */
+/* Copyright 2005-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index f9acf5d..815ee7c 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -4,7 +4,7 @@
/* */
/* TrueType character mapping table (cmap) support (body). */
/* */
-/* Copyright 2002-2010, 2012-2014 by */
+/* Copyright 2002-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -360,7 +360,7 @@
ids = p - 2 + offset;
- if ( ids < glyph_ids || ids + code_count*2 > table + length )
+ if ( ids < glyph_ids || ids + code_count * 2 > table + length )
FT_INVALID_OFFSET;
/* check glyph IDs */
@@ -375,7 +375,7 @@
idx = TT_NEXT_USHORT( p );
if ( idx != 0 )
{
- idx = ( idx + delta ) & 0xFFFFU;
+ idx = (FT_UInt)( (FT_Int)idx + delta ) & 0xFFFFU;
if ( idx >= TT_VALID_GLYPH_COUNT( valid ) )
FT_INVALID_GLYPH_ID;
}
@@ -472,7 +472,7 @@
idx = TT_PEEK_USHORT( p );
if ( idx != 0 )
- result = (FT_UInt)( idx + delta ) & 0xFFFFU;
+ result = (FT_UInt)( (FT_Int)idx + delta ) & 0xFFFFU;
}
}
return result;
@@ -524,7 +524,7 @@
if ( idx != 0 )
{
- gindex = ( idx + delta ) & 0xFFFFU;
+ gindex = (FT_UInt)( (FT_Int)idx + delta ) & 0xFFFFU;
if ( gindex != 0 )
{
result = charcode;
@@ -786,7 +786,7 @@
if ( gindex != 0 )
{
- gindex = (FT_UInt)( ( gindex + delta ) & 0xFFFFU );
+ gindex = (FT_UInt)( (FT_Int)gindex + delta ) & 0xFFFFU;
if ( gindex != 0 )
{
cmap->cur_charcode = charcode;
@@ -800,7 +800,7 @@
{
do
{
- FT_UInt gindex = (FT_UInt)( ( charcode + delta ) & 0xFFFFU );
+ FT_UInt gindex = (FT_UInt)( (FT_Int)charcode + delta ) & 0xFFFFU;
if ( gindex != 0 )
@@ -845,9 +845,6 @@
p = table + 2; /* skip format */
length = TT_NEXT_USHORT( p );
- if ( length < 16 )
- FT_INVALID_TOO_SHORT;
-
/* in certain fonts, the `length' field is invalid and goes */
/* out of bound. We try to correct this here... */
if ( table + length > valid->limit )
@@ -858,6 +855,9 @@
length = (FT_UInt)( valid->limit - table );
}
+ if ( length < 16 )
+ FT_INVALID_TOO_SHORT;
+
p = table + 6;
num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */
@@ -993,7 +993,7 @@
idx = FT_NEXT_USHORT( p );
if ( idx != 0 )
{
- idx = (FT_UInt)( idx + delta ) & 0xFFFFU;
+ idx = (FT_UInt)( (FT_Int)idx + delta ) & 0xFFFFU;
if ( idx >= TT_VALID_GLYPH_COUNT( valid ) )
FT_INVALID_GLYPH_ID;
@@ -1090,10 +1090,10 @@
p += offset + ( charcode - start ) * 2;
gindex = TT_PEEK_USHORT( p );
if ( gindex != 0 )
- gindex = (FT_UInt)( gindex + delta ) & 0xFFFFU;
+ gindex = (FT_UInt)( (FT_Int)gindex + delta ) & 0xFFFFU;
}
else
- gindex = (FT_UInt)( charcode + delta ) & 0xFFFFU;
+ gindex = (FT_UInt)( (FT_Int)charcode + delta ) & 0xFFFFU;
break;
}
@@ -1294,10 +1294,10 @@
p += offset + ( charcode - start ) * 2;
gindex = TT_PEEK_USHORT( p );
if ( gindex != 0 )
- gindex = (FT_UInt)( gindex + delta ) & 0xFFFFU;
+ gindex = (FT_UInt)( (FT_Int)gindex + delta ) & 0xFFFFU;
}
else
- gindex = (FT_UInt)( charcode + delta ) & 0xFFFFU;
+ gindex = (FT_UInt)( (FT_Int)charcode + delta ) & 0xFFFFU;
break;
}
@@ -1669,7 +1669,8 @@
p = is32 + 8192; /* skip `is32' array */
num_groups = TT_NEXT_ULONG( p );
- if ( p + num_groups * 12 > valid->limit )
+ /* p + num_groups * 12 > valid->limit ? */
+ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -1694,7 +1695,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
count = (FT_UInt32)( end - start + 1 );
@@ -1892,7 +1898,9 @@
count = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 20 + count * 2 )
+ /* length < 20 + count * 2 ? */
+ length < 20 ||
+ ( length - 20 ) / 2 < count )
FT_INVALID_TOO_SHORT;
/* check glyph indices */
@@ -2079,7 +2087,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2101,7 +2111,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
}
@@ -2401,7 +2416,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2787,7 +2804,9 @@
num_selectors = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 10 + 11 * num_selectors )
+ /* length < 10 + 11 * num_selectors ? */
+ length < 10 ||
+ ( length - 10 ) / 11 < num_selectors )
FT_INVALID_TOO_SHORT;
/* check selectors, they must be in increasing order */
@@ -2823,7 +2842,8 @@
FT_ULong lastBase = 0;
- if ( defp + numRanges * 4 > valid->limit )
+ /* defp + numRanges * 4 > valid->limit ? */
+ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numRanges; ++i )
@@ -2850,7 +2870,8 @@
FT_ULong i, lastUni = 0;
- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
+ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )
@@ -3475,20 +3496,12 @@
{
FT_ERROR(( "tt_face_build_cmaps:"
" unsupported `cmap' table format = %d\n",
- TT_PEEK_USHORT( p - 2) ));
+ TT_PEEK_USHORT( p - 2 ) ));
return FT_THROW( Invalid_Table );
}
num_cmaps = TT_NEXT_USHORT( p );
-#ifdef FT_MAX_CHARMAP_CACHEABLE
- if ( num_cmaps > FT_MAX_CHARMAP_CACHEABLE )
- FT_ERROR(( "tt_face_build_cmaps: too many cmap subtables (%d)\n"
- " subtable #%d and higher are loaded"
- " but cannot be searched\n",
- num_cmaps, FT_MAX_CHARMAP_CACHEABLE + 1 ));
-#endif
-
for ( ; num_cmaps > 0 && p + 8 <= limit; num_cmaps-- )
{
FT_CharMapRec charmap;
diff --git a/src/sfnt/ttcmap.h b/src/sfnt/ttcmap.h
index 0fde167..b7ea8ee 100644
--- a/src/sfnt/ttcmap.h
+++ b/src/sfnt/ttcmap.h
@@ -4,7 +4,7 @@
/* */
/* TrueType character mapping table (cmap) support (specification). */
/* */
-/* Copyright 2002-2005, 2009, 2012 by */
+/* Copyright 2002-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttcmapc.h b/src/sfnt/ttcmapc.h
index 2ea2043..4a48940 100644
--- a/src/sfnt/ttcmapc.h
+++ b/src/sfnt/ttcmapc.h
@@ -4,7 +4,7 @@
/* */
/* TT CMAP classes definitions (specification only). */
/* */
-/* Copyright 2009 by */
+/* Copyright 2009-2015 by */
/* Oran Agra and Mickey Gabel. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c
index 32c4008..4fccc53 100644
--- a/src/sfnt/ttkern.c
+++ b/src/sfnt/ttkern.c
@@ -5,7 +5,7 @@
/* Load the basic TrueType kerning table. This doesn't handle */
/* kerning data within the GPOS table at the moment. */
/* */
-/* Copyright 1996-2007, 2009, 2010, 2013 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -99,7 +99,7 @@
length = FT_NEXT_USHORT( p );
coverage = FT_NEXT_USHORT( p );
- if ( length <= 6 )
+ if ( length <= 6 + 8 )
break;
p_next += length;
@@ -108,8 +108,8 @@
p_next = p_limit;
/* only use horizontal kerning tables */
- if ( ( coverage & ~8 ) != 0x0001 ||
- p + 8 > p_limit )
+ if ( ( coverage & ~8U ) != 0x0001 ||
+ p + 8 > p_limit )
goto NextTable;
num_pairs = FT_NEXT_USHORT( p );
diff --git a/src/sfnt/ttkern.h b/src/sfnt/ttkern.h
index df1da9b..89cb24f 100644
--- a/src/sfnt/ttkern.h
+++ b/src/sfnt/ttkern.h
@@ -5,7 +5,7 @@
/* Load the basic TrueType kerning table. This doesn't handle */
/* kerning data within the GPOS table at the moment. */
/* */
-/* Copyright 1996-2001, 2002, 2005, 2007 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index 0a3cd29..ad2975d 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -5,7 +5,7 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (body). */
/* */
-/* Copyright 1996-2010, 2012, 2013 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -207,10 +207,24 @@
}
/* we ignore invalid tables */
- if ( table.Offset + table.Length > stream->size )
- {
- FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
+
+ if ( table.Offset > stream->size )
continue;
+ else if ( table.Length > stream->size - table.Offset )
+ {
+ /* Some tables have such a simple structure that clipping its */
+ /* contents is harmless. This also makes FreeType less sensitive */
+ /* to invalid table lengths (which programs like Acroread seem to */
+ /* ignore in general). */
+
+ if ( table.Tag == TTAG_hmtx ||
+ table.Tag == TTAG_vmtx )
+ valid_entries++;
+ else
+ {
+ FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
+ continue;
+ }
}
else
valid_entries++;
@@ -394,9 +408,38 @@
entry->Offset = FT_GET_ULONG();
entry->Length = FT_GET_ULONG();
- /* ignore invalid tables */
- if ( entry->Offset + entry->Length > stream->size )
+ /* ignore invalid tables that can't be sanitized */
+
+ if ( entry->Offset > stream->size )
continue;
+ else if ( entry->Length > stream->size - entry->Offset )
+ {
+ if ( entry->Tag == TTAG_hmtx ||
+ entry->Tag == TTAG_vmtx )
+ {
+#ifdef FT_DEBUG_LEVEL_TRACE
+ FT_ULong old_length = entry->Length;
+#endif
+
+
+ /* make metrics table length a multiple of 4 */
+ entry->Length = ( stream->size - entry->Offset ) & ~3U;
+
+ FT_TRACE2(( " %c%c%c%c %08lx %08lx %08lx"
+ " (sanitized; original length %08lx)\n",
+ (FT_Char)( entry->Tag >> 24 ),
+ (FT_Char)( entry->Tag >> 16 ),
+ (FT_Char)( entry->Tag >> 8 ),
+ (FT_Char)( entry->Tag ),
+ entry->Offset,
+ entry->Length,
+ entry->CheckSum,
+ old_length ));
+ entry++;
+ }
+ else
+ continue;
+ }
else
{
FT_TRACE2(( " %c%c%c%c %08lx %08lx %08lx\n",
diff --git a/src/sfnt/ttload.h b/src/sfnt/ttload.h
index 49a1aee..a6d91c5 100644
--- a/src/sfnt/ttload.h
+++ b/src/sfnt/ttload.h
@@ -5,7 +5,7 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (specification). */
/* */
-/* Copyright 1996-2001, 2002, 2005, 2006 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttmtx.c b/src/sfnt/ttmtx.c
index a8cc63a..58309aa 100644
--- a/src/sfnt/ttmtx.c
+++ b/src/sfnt/ttmtx.c
@@ -4,7 +4,7 @@
/* */
/* Load the metrics tables common to TTF and OTF fonts (body). */
/* */
-/* Copyright 2006-2009, 2011-2013 by */
+/* Copyright 2006-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -201,7 +201,7 @@
/* aadvance :: The advance width or advance height, depending on */
/* the `vertical' flag. */
/* */
- FT_LOCAL_DEF( FT_Error )
+ FT_LOCAL_DEF( void )
tt_face_get_metrics( TT_Face face,
FT_Bool vertical,
FT_UInt gindex,
@@ -274,8 +274,6 @@
*abearing = 0;
*aadvance = 0;
}
-
- return FT_Err_Ok;
}
diff --git a/src/sfnt/ttmtx.h b/src/sfnt/ttmtx.h
index 8b91a11..096ee06 100644
--- a/src/sfnt/ttmtx.h
+++ b/src/sfnt/ttmtx.h
@@ -4,7 +4,7 @@
/* */
/* Load the metrics tables common to TTF and OTF fonts (specification). */
/* */
-/* Copyright 2006 by */
+/* Copyright 2006-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -40,7 +40,7 @@ FT_BEGIN_HEADER
FT_Bool vertical );
- FT_LOCAL( FT_Error )
+ FT_LOCAL( void )
tt_face_get_metrics( TT_Face face,
FT_Bool vertical,
FT_UInt gindex,
diff --git a/src/sfnt/ttpost.c b/src/sfnt/ttpost.c
index 99d8005..8d29d1e 100644
--- a/src/sfnt/ttpost.c
+++ b/src/sfnt/ttpost.c
@@ -5,7 +5,7 @@
/* Postcript name table processing for TrueType and OpenType fonts */
/* (body). */
/* */
-/* Copyright 1996-2003, 2006-2010, 2013, 2014 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -52,7 +52,7 @@
#include FT_SERVICE_POSTSCRIPT_CMAPS_H
-#define MAC_NAME( x ) ( (FT_String*)psnames->macintosh_name( x ) )
+#define MAC_NAME( x ) (FT_String*)psnames->macintosh_name( (FT_UInt)(x) )
#else /* FT_CONFIG_OPTION_POSTSCRIPT_NAMES */
@@ -62,7 +62,7 @@
/* table of Mac names. Thus, it is possible to build a version of */
/* FreeType without the Type 1 driver & PSNames module. */
-#define MAC_NAME( x ) ( (FT_String*)tt_post_default_names[x] )
+#define MAC_NAME( x ) (FT_String*)tt_post_default_names[x]
/* the 258 default Mac PS glyph names; see file `tools/glnames.py' */
@@ -155,7 +155,7 @@
static FT_Error
load_format_20( TT_Face face,
FT_Stream stream,
- FT_Long post_limit )
+ FT_ULong post_limit )
{
FT_Memory memory = stream->memory;
FT_Error error;
@@ -163,8 +163,8 @@
FT_Int num_glyphs;
FT_UShort num_names;
- FT_UShort* glyph_indices = 0;
- FT_Char** name_strings = 0;
+ FT_UShort* glyph_indices = NULL;
+ FT_Char** name_strings = NULL;
if ( FT_READ_USHORT( num_glyphs ) )
@@ -243,14 +243,17 @@
goto Fail1;
}
- if ( (FT_Int)len > post_limit ||
- FT_STREAM_POS() > post_limit - (FT_Int)len )
+ if ( len > post_limit ||
+ FT_STREAM_POS() > post_limit - len )
{
+ FT_Int d = (FT_Int)post_limit - (FT_Int)FT_STREAM_POS();
+
+
FT_ERROR(( "load_format_20:"
" exceeding string length (%d),"
" truncating at end of post table (%d byte left)\n",
- len, post_limit - FT_STREAM_POS() ));
- len = FT_MAX( 0, post_limit - FT_STREAM_POS() );
+ len, d ));
+ len = (FT_UInt)FT_MAX( 0, d );
}
if ( FT_NEW_ARRAY( name_strings[n], len + 1 ) ||
@@ -307,13 +310,13 @@
static FT_Error
load_format_25( TT_Face face,
FT_Stream stream,
- FT_Long post_limit )
+ FT_ULong post_limit )
{
FT_Memory memory = stream->memory;
FT_Error error;
FT_Int num_glyphs;
- FT_Char* offset_table = 0;
+ FT_Char* offset_table = NULL;
FT_UNUSED( post_limit );
@@ -377,7 +380,7 @@
FT_Error error;
FT_Fixed format;
FT_ULong post_len;
- FT_Long post_limit;
+ FT_ULong post_limit;
/* get a stream for the face's resource */
@@ -547,10 +550,7 @@
}
if ( idx < (FT_UInt)table->num_glyphs ) /* paranoid checking */
- {
- idx += table->offsets[idx];
- *PSname = MAC_NAME( idx );
- }
+ *PSname = MAC_NAME( (FT_Int)idx + table->offsets[idx] );
}
/* nothing to do for format == 0x00030000L */
diff --git a/src/sfnt/ttpost.h b/src/sfnt/ttpost.h
index 6f06d75..e3eca02 100644
--- a/src/sfnt/ttpost.h
+++ b/src/sfnt/ttpost.h
@@ -5,7 +5,7 @@
/* Postcript name table processing for TrueType and OpenType fonts */
/* (specification). */
/* */
-/* Copyright 1996-2001, 2002 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index 180d559..143f276 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -4,7 +4,7 @@
/* */
/* TrueType and OpenType embedded bitmap support (body). */
/* */
-/* Copyright 2005-2009, 2013, 2014 by */
+/* Copyright 2005-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* Copyright 2013 by Google, Inc. */
@@ -101,10 +101,10 @@
p = face->sbit_table;
- version = FT_NEXT_ULONG( p );
+ version = FT_NEXT_LONG( p );
num_strikes = FT_NEXT_ULONG( p );
- if ( ( version & 0xFFFF0000UL ) != 0x00020000UL )
+ if ( ( (FT_ULong)version & 0xFFFF0000UL ) != 0x00020000UL )
{
error = FT_THROW( Unknown_File_Format );
goto Exit;
@@ -150,12 +150,25 @@
error = FT_THROW( Unknown_File_Format );
goto Exit;
}
- if ( flags != 0x0001 || num_strikes >= 0x10000UL )
+
+ /* Bit 0 must always be `1'. */
+ /* Bit 1 controls the overlay of bitmaps with outlines. */
+ /* All other bits should be zero. */
+ if ( !( flags == 1 || flags == 3 ) ||
+ num_strikes >= 0x10000UL )
{
error = FT_THROW( Invalid_File_Format );
goto Exit;
}
+ /* we currently don't support bit 1; however, it is better to */
+ /* draw at least something... */
+ if ( flags == 3 )
+ FT_TRACE1(( "tt_face_load_sbit_strikes:"
+ " sbix overlay not supported yet\n"
+ " "
+ " expect bad rendering results\n" ));
+
/*
* Count the number of strikes available in the table. We are a bit
* paranoid there and don't trust the data.
@@ -260,6 +273,7 @@
FT_UShort ppem, resolution;
TT_HoriHeader *hori;
FT_ULong table_size;
+ FT_Pos ppem_, upem_; /* to reduce casts */
FT_Error error;
FT_Byte* p;
@@ -292,12 +306,15 @@
metrics->x_ppem = ppem;
metrics->y_ppem = ppem;
- metrics->ascender = ppem * hori->Ascender * 64 / upem;
- metrics->descender = ppem * hori->Descender * 64 / upem;
- metrics->height = ppem * ( hori->Ascender -
- hori->Descender +
- hori->Line_Gap ) * 64 / upem;
- metrics->max_advance = ppem * hori->advance_Width_Max * 64 / upem;
+ ppem_ = (FT_Pos)ppem;
+ upem_ = (FT_Pos)upem;
+
+ metrics->ascender = ppem_ * hori->Ascender * 64 / upem_;
+ metrics->descender = ppem_ * hori->Descender * 64 / upem_;
+ metrics->height = ppem_ * ( hori->Ascender -
+ hori->Descender +
+ hori->Line_Gap ) * 64 / upem_;
+ metrics->max_advance = ppem_ * hori->advance_Width_Max * 64 / upem_;
return error;
}
@@ -381,9 +398,11 @@
p += 34;
decoder->bit_depth = *p;
- if ( decoder->strike_index_array > face->sbit_table_size ||
- decoder->strike_index_array + 8 * decoder->strike_index_count >
- face->sbit_table_size )
+ /* decoder->strike_index_array + */
+ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */
+ if ( decoder->strike_index_array > face->sbit_table_size ||
+ decoder->strike_index_count >
+ ( face->sbit_table_size - decoder->strike_index_array ) / 8 )
error = FT_THROW( Invalid_File_Format );
}
@@ -405,7 +424,7 @@
FT_Error error = FT_Err_Ok;
FT_UInt width, height;
FT_Bitmap* map = decoder->bitmap;
- FT_Long size;
+ FT_ULong size;
if ( !decoder->metrics_loaded )
@@ -417,38 +436,38 @@
width = decoder->metrics->width;
height = decoder->metrics->height;
- map->width = (int)width;
- map->rows = (int)height;
+ map->width = width;
+ map->rows = height;
switch ( decoder->bit_depth )
{
case 1:
map->pixel_mode = FT_PIXEL_MODE_MONO;
- map->pitch = ( map->width + 7 ) >> 3;
+ map->pitch = (int)( ( map->width + 7 ) >> 3 );
map->num_grays = 2;
break;
case 2:
map->pixel_mode = FT_PIXEL_MODE_GRAY2;
- map->pitch = ( map->width + 3 ) >> 2;
+ map->pitch = (int)( ( map->width + 3 ) >> 2 );
map->num_grays = 4;
break;
case 4:
map->pixel_mode = FT_PIXEL_MODE_GRAY4;
- map->pitch = ( map->width + 1 ) >> 1;
+ map->pitch = (int)( ( map->width + 1 ) >> 1 );
map->num_grays = 16;
break;
case 8:
map->pixel_mode = FT_PIXEL_MODE_GRAY;
- map->pitch = map->width;
+ map->pitch = (int)( map->width );
map->num_grays = 256;
break;
case 32:
map->pixel_mode = FT_PIXEL_MODE_BGRA;
- map->pitch = map->width * 4;
+ map->pitch = (int)( map->width * 4 );
map->num_grays = 256;
break;
@@ -457,7 +476,7 @@
goto Exit;
}
- size = map->rows * map->pitch;
+ size = map->rows * (FT_ULong)map->pitch;
/* check that there is no empty image */
if ( size == 0 )
@@ -505,13 +524,20 @@
p += 3;
}
+ else
+ {
+ /* avoid uninitialized data in case there is no vertical info -- */
+ metrics->vertBearingX = 0;
+ metrics->vertBearingY = 0;
+ metrics->vertAdvance = 0;
+ }
decoder->metrics_loaded = 1;
*pp = p;
return FT_Err_Ok;
Fail:
- FT_TRACE1(( "tt_sbit_decoder_load_metrics: broken table" ));
+ FT_TRACE1(( "tt_sbit_decoder_load_metrics: broken table\n" ));
return FT_THROW( Invalid_Argument );
}
@@ -539,7 +565,8 @@
{
FT_Error error = FT_Err_Ok;
FT_Byte* line;
- FT_Int bit_height, bit_width, pitch, width, height, line_bits, h;
+ FT_Int pitch, width, height, line_bits, h;
+ FT_UInt bit_height, bit_width;
FT_Bitmap* bitmap;
@@ -555,8 +582,8 @@
line_bits = width * decoder->bit_depth;
- if ( x_pos < 0 || x_pos + width > bit_width ||
- y_pos < 0 || y_pos + height > bit_height )
+ if ( x_pos < 0 || (FT_UInt)( x_pos + width ) > bit_width ||
+ y_pos < 0 || (FT_UInt)( y_pos + height ) > bit_height )
{
FT_TRACE1(( "tt_sbit_decoder_load_byte_aligned:"
" invalid bitmap dimensions\n" ));
@@ -677,7 +704,8 @@
{
FT_Error error = FT_Err_Ok;
FT_Byte* line;
- FT_Int bit_height, bit_width, pitch, width, height, line_bits, h, nbits;
+ FT_Int pitch, width, height, line_bits, h, nbits;
+ FT_UInt bit_height, bit_width;
FT_Bitmap* bitmap;
FT_UShort rval;
@@ -694,8 +722,8 @@
line_bits = width * decoder->bit_depth;
- if ( x_pos < 0 || x_pos + width > bit_width ||
- y_pos < 0 || y_pos + height > bit_height )
+ if ( x_pos < 0 || (FT_UInt)( x_pos + width ) > bit_width ||
+ y_pos < 0 || (FT_UInt)( y_pos + height ) > bit_height )
{
FT_TRACE1(( "tt_sbit_decoder_load_bit_aligned:"
" invalid bitmap dimensions\n" ));
@@ -1148,7 +1176,8 @@
num_glyphs = FT_NEXT_ULONG( p );
/* overflow check for p + ( num_glyphs + 1 ) * 4 */
- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+ if ( p + 4 > p_limit ||
+ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
goto NoBitmap;
for ( mm = 0; mm < num_glyphs; mm++ )
@@ -1335,6 +1364,7 @@
case FT_MAKE_TAG( 'j', 'p', 'g', ' ' ):
case FT_MAKE_TAG( 't', 'i', 'f', 'f' ):
+ case FT_MAKE_TAG( 'r', 'g', 'b', 'l' ): /* used on iOS 7.1 */
error = FT_THROW( Unknown_File_Format );
break;
@@ -1355,9 +1385,9 @@
metrics->horiBearingX = (FT_Short)originOffsetX;
metrics->horiBearingY = (FT_Short)( -originOffsetY + metrics->height );
- metrics->horiAdvance = (FT_Short)( aadvance *
- face->root.size->metrics.x_ppem /
- face->header.Units_Per_EM );
+ metrics->horiAdvance = (FT_UShort)( aadvance *
+ face->root.size->metrics.x_ppem /
+ face->header.Units_Per_EM );
}
return error;
@@ -1418,7 +1448,7 @@
FT_Library library = face->root.glyph->library;
- FT_Bitmap_New( &new_map );
+ FT_Bitmap_Init( &new_map );
/* Convert to 8bit grayscale. */
error = FT_Bitmap_Convert( library, map, &new_map, 1 );
diff --git a/src/sfnt/ttsbit.h b/src/sfnt/ttsbit.h
index 695d0d8..d4e13ae 100644
--- a/src/sfnt/ttsbit.h
+++ b/src/sfnt/ttsbit.h
@@ -4,7 +4,7 @@
/* */
/* TrueType and OpenType embedded bitmap support (specification). */
/* */
-/* Copyright 1996-2008, 2013 by */
+/* Copyright 1996-2015 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-01 18:14:01 +0000