From 7f08cbd7d6dcf19b8d8e4328e33032aee342e3b4 Mon Sep 17 00:00:00 2001 From: David 'Digit' Turner Date: Wed, 26 Jan 2011 13:53:40 +0100 Subject: Upgrade to upstream 2.4.4 This is necessary to fix several security issues. See b/3344697 Change-Id: Ica5c6387fbd791008199f7994ed03978ed700a69 --- src/truetype/ttgload.c | 3 + src/truetype/ttgxvar.c | 6 +- src/truetype/ttinterp.c | 38 +++++++-- src/truetype/ttobjs.c | 204 +++++++++++++++++++++++++++++++++++++++++++++--- src/truetype/ttpload.c | 30 ++++++- 5 files changed, 258 insertions(+), 23 deletions(-) (limited to 'src/truetype') diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c index 1b496c0..3a69b7b 100644 --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -1910,6 +1910,9 @@ FT_UInt i; + FT_TRACE4(( "tt_loader_init: grayscale change," + " re-executing `prep' table\n" )); + exec->grayscale = grayscale; for ( i = 0; i < size->cvt_size; i++ ) diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index 653d9d5..47bb9fc 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -130,7 +130,7 @@ FT_Int j; FT_Int first; FT_Memory memory = stream->memory; - FT_Error error = TT_Err_Ok; + FT_Error error = TT_Err_Ok; FT_UNUSED( error ); @@ -154,7 +154,7 @@ runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK; first = points[i++] = FT_GET_USHORT(); - if ( runcnt < 1 ) + if ( runcnt < 1 || i + runcnt >= n ) goto Exit; /* first point not included in runcount */ @@ -165,7 +165,7 @@ { first = points[i++] = FT_GET_BYTE(); - if ( runcnt < 1 ) + if ( runcnt < 1 || i + runcnt >= n ) goto Exit; for ( j = 0; j < runcnt; ++j ) diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index d22e94f..f55b8ee 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -478,8 +478,7 @@ return TT_Err_Ok; Fail_Memory: - FT_ERROR(( "Init_Context: not enough memory for 0x%08lx\n", - (FT_Long)exec )); + FT_ERROR(( "Init_Context: not enough memory for %p\n", exec )); TT_Done_Context( exec ); return error; @@ -596,6 +595,12 @@ exec->storage = size->storage; exec->twilight = size->twilight; + + /* In case of multi-threading it can happen that the old size object */ + /* no longer exists, thus we must clear all glyph zone references. */ + ft_memset( &exec->zp0, 0, sizeof ( exec->zp0 ) ); + exec->zp1 = exec->zp0; + exec->zp2 = exec->zp0; } /* XXX: We reserve a little more elements on the stack to deal safely */ @@ -5795,7 +5800,16 @@ if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) + { last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); + + if ( BOUNDS( last_point, CUR.zp2.n_points ) ) + { + if ( CUR.pedantic_hinting ) + CUR.error = TT_Err_Invalid_Reference; + return; + } + } else last_point = 0; @@ -6773,12 +6787,11 @@ { if ( ( CUR.pts.tags[point] & mask ) != 0 ) { - if ( point > 0 ) - _iup_worker_interpolate( &V, - cur_touched + 1, - point - 1, - cur_touched, - point ); + _iup_worker_interpolate( &V, + cur_touched + 1, + point - 1, + cur_touched, + point ); cur_touched = point; } @@ -8128,6 +8141,15 @@ *exc = cur; #endif + /* If any errors have occurred, function tables may be broken. */ + /* Force a re-execution of `prep' and `fpgm' tables if no */ + /* bytecode debugger is run. */ + if ( CUR.error && !CUR.instruction_trap ) + { + FT_TRACE1(( " The interpreter returned error 0x%x\n", CUR.error )); + exc->size->cvt_ready = FALSE; + } + return CUR.error; } diff --git a/src/truetype/ttobjs.c b/src/truetype/ttobjs.c index 11d662d..8fe86ad 100644 --- a/src/truetype/ttobjs.c +++ b/src/truetype/ttobjs.c @@ -4,7 +4,8 @@ /* */ /* Objects manager (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */ +/* 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -146,28 +147,28 @@ /* This list shall be expanded as we find more of them. */ static FT_Bool - tt_check_trickyness( FT_String* name ) + tt_check_trickyness_family( FT_String* name ) { + #define TRICK_NAMES_MAX_CHARACTERS 16 -#define TRICK_NAMES_COUNT 7 - static const char trick_names[TRICK_NAMES_COUNT][TRICK_NAMES_MAX_CHARACTERS+1] = +#define TRICK_NAMES_COUNT 8 + + static const char trick_names[TRICK_NAMES_COUNT] + [TRICK_NAMES_MAX_CHARACTERS + 1] = { "DFKaiSho-SB", /* dfkaisb.ttf */ "DFKaiShu", "DFKai-SB", /* kaiu.ttf */ + "HuaTianKaiTi?", /* htkt2.ttf */ "HuaTianSongTi?", /* htst3.ttf */ "MingLiU", /* mingliu.ttf & mingliu.ttc */ "PMingLiU", /* mingliu.ttc */ "MingLi43", /* mingli.ttf */ }; - int nn; + int nn; - if ( !name ) - return FALSE; - /* Note that we only check the face name at the moment; it might */ - /* be worth to do more checks for a few special cases. */ for ( nn = 0; nn < TRICK_NAMES_COUNT; nn++ ) if ( ft_strstr( name, trick_names[nn] ) ) return TRUE; @@ -176,6 +177,181 @@ } + /* XXX: This function should be in the `sfnt' module. */ + + /* Some PDF generators clear the checksums in the TrueType header table. */ + /* For example, Quartz ContextPDF clears all entries, or Bullzip PDF */ + /* Printer clears the entries for subsetted subtables. We thus have to */ + /* recalculate the checksums where necessary. */ + + static FT_UInt32 + tt_synth_sfnt_checksum( FT_Stream stream, + FT_ULong length ) + { + FT_Error error; + FT_UInt32 checksum = 0; + int i; + + + if ( FT_FRAME_ENTER( length ) ) + return 0; + + for ( ; length > 3; length -= 4 ) + checksum += (FT_UInt32)FT_GET_ULONG(); + + for ( i = 3; length > 0; length --, i-- ) + checksum += (FT_UInt32)( FT_GET_BYTE() << ( i * 8 ) ); + + FT_FRAME_EXIT(); + + return checksum; + } + + + /* XXX: This function should be in the `sfnt' module. */ + + static FT_ULong + tt_get_sfnt_checksum( TT_Face face, + FT_UShort i ) + { + if ( face->dir_tables[i].CheckSum ) + return face->dir_tables[i].CheckSum; + + else if ( !face->goto_table ) + return 0; + + else if ( !face->goto_table( face, + face->dir_tables[i].Tag, + face->root.stream, + NULL ) ) + return 0; + + return (FT_ULong)tt_synth_sfnt_checksum( face->root.stream, + face->dir_tables[i].Length ); + } + + + typedef struct tt_sfnt_id_rec_ + { + FT_ULong CheckSum; + FT_ULong Length; + + } tt_sfnt_id_rec; + + + static FT_Bool + tt_check_trickyness_sfnt_ids( TT_Face face ) + { +#define TRICK_SFNT_IDS_PER_FACE 3 +#define TRICK_SFNT_IDS_NUM_FACES 5 + + static const tt_sfnt_id_rec sfnt_id[TRICK_SFNT_IDS_NUM_FACES] + [TRICK_SFNT_IDS_PER_FACE] = { + +#define TRICK_SFNT_ID_cvt 0 +#define TRICK_SFNT_ID_fpgm 1 +#define TRICK_SFNT_ID_prep 2 + + { /* MingLiU 1995 */ + { 0x05bcf058, 0x000002e4 }, /* cvt */ + { 0x28233bf1, 0x000087c4 }, /* fpgm */ + { 0xa344a1ea, 0x000001e1 } /* prep */ + }, + { /* MingLiU 1996- */ + { 0x05bcf058, 0x000002e4 }, /* cvt */ + { 0x28233bf1, 0x000087c4 }, /* fpgm */ + { 0xa344a1eb, 0x000001e1 } /* prep */ + }, + { /* DFKaiShu */ + { 0x11e5ead4, 0x00000350 }, /* cvt */ + { 0x5a30ca3b, 0x00009063 }, /* fpgm */ + { 0x13a42602, 0x0000007e } /* prep */ + }, + { /* HuaTianKaiTi */ + { 0xfffbfffc, 0x00000008 }, /* cvt */ + { 0x9c9e48b8, 0x0000bea2 }, /* fpgm */ + { 0x70020112, 0x00000008 } /* prep */ + }, + { /* HuaTianSongTi */ + { 0xfffbfffc, 0x00000008 }, /* cvt */ + { 0x0a5a0483, 0x00017c39 }, /* fpgm */ + { 0x70020112, 0x00000008 } /* prep */ + } + }; + + FT_ULong checksum; + int num_matched_ids[TRICK_SFNT_IDS_NUM_FACES]; + int i, j, k; + + + FT_MEM_SET( num_matched_ids, 0, + sizeof( int ) * TRICK_SFNT_IDS_NUM_FACES ); + + for ( i = 0; i < face->num_tables; i++ ) + { + checksum = 0; + + switch( face->dir_tables[i].Tag ) + { + case TTAG_cvt: + k = TRICK_SFNT_ID_cvt; + break; + + case TTAG_fpgm: + k = TRICK_SFNT_ID_fpgm; + break; + + case TTAG_prep: + k = TRICK_SFNT_ID_prep; + break; + + default: + continue; + } + + for ( j = 0; j < TRICK_SFNT_IDS_NUM_FACES; j++ ) + if ( face->dir_tables[i].Length == sfnt_id[j][k].Length ) + { + if ( !checksum ) + checksum = tt_get_sfnt_checksum( face, i ); + + if ( sfnt_id[j][k].CheckSum == checksum ) + num_matched_ids[j]++; + + if ( num_matched_ids[j] == TRICK_SFNT_IDS_PER_FACE ) + return TRUE; + } + } + + return FALSE; + } + + + static FT_Bool + tt_check_trickyness( FT_Face face ) + { + if ( !face ) + return FALSE; + + /* First, check the face name. */ + if ( face->family_name ) + { + if ( tt_check_trickyness_family( face->family_name ) ) + return TRUE; + else + return FALSE; + } + + /* Type42 fonts may lack `name' tables, we thus try to identify */ + /* tricky fonts by checking the checksums of Type42-persistent */ + /* sfnt tables (`cvt', `fpgm', and `prep'). */ + if ( tt_check_trickyness_sfnt_ids( (TT_Face)face ) ) + return TRUE; + + return FALSE; + } + + /*************************************************************************/ /* */ /* */ @@ -250,7 +426,7 @@ if ( error ) goto Exit; - if ( tt_check_trickyness( ttface->family_name ) ) + if ( tt_check_trickyness( ttface ) ) ttface->face_flags |= FT_FACE_FLAG_TRICKY; error = tt_face_load_hdmx( face, stream ); @@ -458,7 +634,11 @@ error = TT_Goto_CodeRange( exec, tt_coderange_font, 0 ); if ( !error ) + { + FT_TRACE4(( "Executing `fpgm' table.\n" )); + error = face->interpreter( exec ); + } } else error = TT_Err_Ok; @@ -520,7 +700,11 @@ error = TT_Goto_CodeRange( exec, tt_coderange_cvt, 0 ); if ( !error && !size->debug ) + { + FT_TRACE4(( "Executing `prep' table.\n" )); + error = face->interpreter( exec ); + } } else error = TT_Err_Ok; diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c index a311b03..68a5453 100644 --- a/src/truetype/ttpload.c +++ b/src/truetype/ttpload.c @@ -4,7 +4,7 @@ /* */ /* TrueType-specific tables loader (body). */ /* */ -/* Copyright 1996-2001, 2002, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 1996-2001, 2002, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -137,6 +137,12 @@ dist = diff; } + if ( entry == limit ) + { + /* `loca' is the last table */ + dist = stream->size - pos; + } + if ( new_loca_len <= dist ) { face->num_locations = face->root.num_glyphs; @@ -203,6 +209,26 @@ } } + /* Check broken location data */ + if ( pos1 >= face->glyf_len ) + { + FT_TRACE1(( "tt_face_get_location:" + " too large offset=0x%08lx found for gid=0x%04lx," + " exceeding the end of glyf table (0x%08lx)\n", + pos1, gindex, face->glyf_len )); + *asize = 0; + return 0; + } + + if ( pos2 >= face->glyf_len ) + { + FT_TRACE1(( "tt_face_get_location:" + " too large offset=0x%08lx found for gid=0x%04lx," + " truncate at the end of glyf table (0x%08lx)\n", + pos2, gindex + 1, face->glyf_len )); + pos2 = face->glyf_len; + } + /* The `loca' table must be ordered; it refers to the length of */ /* an entry as the difference between the current and the next */ /* position. However, there do exist (malformed) fonts which */ @@ -287,7 +313,7 @@ FT_Short* limit = cur + face->cvt_size; - for ( ; cur < limit; cur++ ) + for ( ; cur < limit; cur++ ) *cur = FT_GET_SHORT(); } -- cgit v1.2.3