From c158e6ad29b5df89aa04417832cdfd750ce294b2 Mon Sep 17 00:00:00 2001 From: Jungshik Shin Date: Sun, 18 Sep 2016 03:50:36 -0700 Subject: Update FreeType from 2.6.2 to c38be52bf8de (2.7 + a few post-2.7 CLs) http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c38be52b Keep all the configuration options as before. Likewise, exclude unused files (Jamfiles, various mk files, builds/, docs/, ChangeLog*, directories under src/ for disabled modules, etc). Update README.android to record the configurations. Besides, disable a new option (TT_CONFIG_OPTION_SUBPIXEL_HINTING) for branches. Note that a bulk of changes in this CL come from the code to implement this option. BUG: 31470908 AOSP-Change-Id: I1ca90aec171d9580415b8531e2b767e9dd31164c CVE-2016-10244 Change-Id: I4485d2ea543c52f8145ab23372cf3e5c7345879b (cherry picked from commit 055aee28cedc3631434b2636fc6093c0d4d818ab) --- src/sfnt/ttcmap.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 64 insertions(+), 11 deletions(-) (limited to 'src/sfnt/ttcmap.c') diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 2b1337f..cd7467d 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -4,7 +4,7 @@ /* */ /* TrueType character mapping table (cmap) support (body). */ /* */ -/* Copyright 2002-2015 by */ +/* Copyright 2002-2016 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -763,6 +763,9 @@ static void tt_cmap4_next( TT_CMap4 cmap ) { + TT_Face face = (TT_Face)cmap->cmap.cmap.charmap.face; + FT_Byte* limit = face->cmap_table + face->cmap_size; + FT_UInt charcode; @@ -788,15 +791,19 @@ FT_Byte* p = values + 2 * ( charcode - cmap->cur_start ); + /* if p > limit, the whole segment is invalid */ + if ( p > limit ) + goto Next_Segment; + do { FT_UInt gindex = FT_NEXT_USHORT( p ); - if ( gindex != 0 ) + if ( gindex ) { gindex = (FT_UInt)( (FT_Int)gindex + delta ) & 0xFFFFU; - if ( gindex != 0 ) + if ( gindex ) { cmap->cur_charcode = charcode; cmap->cur_gindex = gindex; @@ -812,7 +819,26 @@ FT_UInt gindex = (FT_UInt)( (FT_Int)charcode + delta ) & 0xFFFFU; - if ( gindex != 0 ) + if ( gindex >= (FT_UInt)face->root.num_glyphs ) + { + /* we have an invalid glyph index; if there is an overflow, */ + /* we can adjust `charcode', otherwise the whole segment is */ + /* invalid */ + gindex = 0; + + if ( (FT_Int)charcode + delta < 0 && + (FT_Int)end + delta >= 0 ) + charcode = (FT_UInt)( -delta ); + + else if ( (FT_Int)charcode + delta < 0x10000L && + (FT_Int)end + delta >= 0x10000L ) + charcode = (FT_UInt)( 0x10000L - delta ); + + else + goto Next_Segment; + } + + if ( gindex ) { cmap->cur_charcode = charcode; cmap->cur_gindex = gindex; @@ -822,6 +848,7 @@ } } + Next_Segment: /* we need to find another range */ if ( tt_cmap4_set_range( cmap, cmap->cur_range + 1 ) < 0 ) break; @@ -1170,6 +1197,9 @@ FT_UInt32* pcharcode, FT_Bool next ) { + TT_Face face = (TT_Face)cmap->cmap.charmap.face; + FT_Byte* limit = face->cmap_table + face->cmap_size; + FT_UInt num_segs2, start, end, offset; FT_Int delta; FT_UInt max, min, mid, num_segs; @@ -1221,10 +1251,6 @@ if ( mid >= num_segs - 1 && start == 0xFFFFU && end == 0xFFFFU ) { - TT_Face face = (TT_Face)cmap->cmap.charmap.face; - FT_Byte* limit = face->cmap_table + face->cmap_size; - - if ( offset && p + offset + 2 > limit ) { delta = 1; @@ -1245,7 +1271,7 @@ mid = max + 1; /* search in segments before the current segment */ - for ( i = max ; i > 0; i-- ) + for ( i = max; i > 0; i-- ) { FT_UInt prev_end; FT_Byte* old_p; @@ -1347,13 +1373,40 @@ if ( offset ) { p += offset + ( charcode - start ) * 2; + + /* if p > limit, the whole segment is invalid */ + if ( next && p > limit ) + break; + gindex = TT_PEEK_USHORT( p ); - if ( gindex != 0 ) + if ( gindex ) + { gindex = (FT_UInt)( (FT_Int)gindex + delta ) & 0xFFFFU; + if ( gindex >= (FT_UInt)face->root.num_glyphs ) + gindex = 0; + } } else + { gindex = (FT_UInt)( (FT_Int)charcode + delta ) & 0xFFFFU; + if ( next && gindex >= (FT_UInt)face->root.num_glyphs ) + { + /* we have an invalid glyph index; if there is an overflow, */ + /* we can adjust `charcode', otherwise the whole segment is */ + /* invalid */ + gindex = 0; + + if ( (FT_Int)charcode + delta < 0 && + (FT_Int)end + delta >= 0 ) + charcode = (FT_UInt)( -delta ); + + else if ( (FT_Int)charcode + delta < 0x10000L && + (FT_Int)end + delta >= 0x10000L ) + charcode = (FT_UInt)( 0x10000L - delta ); + } + } + break; } } @@ -3104,7 +3157,7 @@ if ( char_code < start ) max = mid; - else if ( char_code > start+cnt ) + else if ( char_code > start + cnt ) min = mid + 1; else return TRUE; -- cgit v1.2.3