From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 22 Nov 2014 10:46:47 +0100 Subject: [PATCH] [type42] Fix Savannah bug #43659. * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages. --- ChangeLog | 12 ++++++++++++ src/type42/t42objs.c | 6 ++++++ src/type42/t42parse.c | 25 ++++++++++++------------- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 391361910..91d8bbbce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2014-11-22 Werner Lemberg + + [type42] Fix Savannah bug #43659. + + * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. + + * src/type42/t42parse.c (t42_parse_sfnts): Always set + `face->ttf_size' directly. This ensures a correct stream size in + the call to `FT_Open_Face', which follows after parsing, even for + buggy input data. + Fix error messages. + 2014-11-22 Werner Lemberg [cff] Fix Savannah bug #43658. diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c index 798ebdbc5..7a9cb5781 100644 --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -47,6 +47,12 @@ if ( FT_ALLOC( face->ttf_data, 12 ) ) goto Exit; + /* while parsing the font we always update `face->ttf_size' so that */ + /* even in case of buggy data (which might lead to premature end of */ + /* scanning without causing an error) the call to `FT_Open_Face' in */ + /* `T42_Face_Init' passes the correct size */ + face->ttf_size = 12; + error = t42_parser_init( parser, face->root.stream, memory, diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index a60e216f9..daf304d8a 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -524,7 +524,7 @@ FT_Byte* limit = parser->root.limit; FT_Error error; FT_Int num_tables = 0; - FT_ULong count, ttf_size = 0; + FT_ULong count; FT_Long n, string_size, old_string_size, real_size; FT_Byte* string_buf = NULL; @@ -617,7 +617,7 @@ if ( limit - parser->root.cursor < string_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } @@ -657,18 +657,18 @@ } else { - num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; - status = BEFORE_TABLE_DIR; - ttf_size = 12 + 16 * num_tables; + num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; + status = BEFORE_TABLE_DIR; + face->ttf_size = 12 + 16 * num_tables; - if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) ) + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ case BEFORE_TABLE_DIR: /* the offset table is read; read the table directory */ - if ( count < ttf_size ) + if ( count < face->ttf_size ) { face->ttf_data[count++] = string_buf[n]; continue; @@ -687,24 +687,23 @@ len = FT_PEEK_ULONG( p ); /* Pad to a 4-byte boundary length */ - ttf_size += ( len + 3 ) & ~3; + face->ttf_size += ( len + 3 ) & ~3; } - status = OTHER_TABLES; - face->ttf_size = ttf_size; + status = OTHER_TABLES; /* there are no more than 256 tables, so no size check here */ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, - ttf_size + 1 ) ) + face->ttf_size + 1 ) ) goto Fail; } /* fall through */ case OTHER_TABLES: /* all other tables are just copied */ - if ( count >= ttf_size ) + if ( count >= face->ttf_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; }