Attachment #190235 for bug #263032

Line Link Here

(-)file_not_specified_in_diff (-11 / +51 lines)
0	-- freetype-2.3.9-orig/src/cff/cffload.c	0	++ freetype-2.3.9/src/cff/cffload.c
Lines 842-848 Link Here
842	goto Exit;	842	goto Exit;
843		843
844	for ( j = 1; j < num_glyphs; j++ )	844	for ( j = 1; j < num_glyphs; j++ )
845	charset->sids[j] = FT_GET_USHORT();	845	{
		846	FT_UShort sid = FT_GET_USHORT();
		847
		848
		849	/* this constant is given in the CFF specification */
		850	if ( sid < 65000 )
		851	charset->sids[j] = sid;
		852	else
		853	{
		854	FT_ERROR(( "cff_charset_load:"
		855	" invalid SID value %d set to zero\n", sid ));
		856	charset->sids[j] = 0;
		857	}
		858	}
846		859
847	FT_FRAME_EXIT();	860	FT_FRAME_EXIT();
848	}	861	}
Lines 875-880 Link Here
875	goto Exit;	888	goto Exit;
876	}	889	}
877		890
		891	/* check whether the range contains at least one valid glyph; */
		892	/* the constant is given in the CFF specification */
		893	if ( glyph_sid >= 65000 ) {
		894	FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
		895	error = CFF_Err_Invalid_File_Format;
		896	goto Exit;
		897	}
		898
		899	/* try to rescue some of the SIDs if `nleft' is too large */
		900	if ( nleft > 65000 - 1 \|\| glyph_sid >= 65000 - nleft ) {
		901	FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
		902	nleft = 65000 - 1 - glyph_sid;
		903	}
		904
878	/* Fill in the range of sids -- `nleft + 1' glyphs. */	905	/* Fill in the range of sids -- `nleft + 1' glyphs. */
879	for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )	906	for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
880	charset->sids[j] = glyph_sid;	907	charset->sids[j] = glyph_sid;
881	-- freetype-2.3.9-orig/src/lzw/ftzopen.c	908	++ freetype-2.3.9/src/lzw/ftzopen.c
Lines 332-337 Link Here
332		332
333	while ( code >= 256U )	333	while ( code >= 256U )
334	{	334	{
		335	if ( !state->prefix )
		336	goto Eof;
		337
335	FTLZW_STACK_PUSH( state->suffix[code - 256] );	338	FTLZW_STACK_PUSH( state->suffix[code - 256] );
336	code = state->prefix[code - 256];	339	code = state->prefix[code - 256];
337	}	340	}
338	-- freetype-2.3.9-orig/src/sfnt/ttcmap.c	341	++ freetype-2.3.9/src/sfnt/ttcmap.c
Lines 1635-1641 Link Here
1635	FT_INVALID_TOO_SHORT;	1635	FT_INVALID_TOO_SHORT;
1636		1636
1637	length = TT_NEXT_ULONG( p );	1637	length = TT_NEXT_ULONG( p );
1638	if ( table + length > valid->limit \|\| length < 8208 )	1638	if ( length > (FT_UInt32)( valid->limit - table ) \|\| length < 8192 + 16 )
1639	FT_INVALID_TOO_SHORT;	1639	FT_INVALID_TOO_SHORT;
1640		1640
1641	is32 = table + 12;	1641	is32 = table + 12;
Lines 1863-1869 Link Here
1863	p = table + 16;	1863	p = table + 16;
1864	count = TT_NEXT_ULONG( p );	1864	count = TT_NEXT_ULONG( p );
1865		1865
1866	if ( table + length > valid->limit \|\| length < 20 + count * 2 )	1866	if ( length > (FT_ULong)( valid->limit - table ) \|\|
		1867	length < 20 + count * 2 )
1867	FT_INVALID_TOO_SHORT;	1868	FT_INVALID_TOO_SHORT;
1868		1869
1869	/* check glyph indices */	1870	/* check glyph indices */
Lines 2048-2054 Link Here
2048	p = table + 12;	2049	p = table + 12;
2049	num_groups = TT_NEXT_ULONG( p );	2050	num_groups = TT_NEXT_ULONG( p );
2050		2051
2051	if ( table + length > valid->limit \|\| length < 16 + 12 * num_groups )	2052	if ( length > (FT_ULong)( valid->limit - table ) \|\|
		2053	length < 16 + 12 * num_groups )
2052	FT_INVALID_TOO_SHORT;	2054	FT_INVALID_TOO_SHORT;
2053		2055
2054	/* check groups, they must be in increasing order */	2056	/* check groups, they must be in increasing order */
Lines 2429-2435 Link Here
2429	FT_ULong num_selectors = TT_NEXT_ULONG( p );	2431	FT_ULong num_selectors = TT_NEXT_ULONG( p );
2430		2432
2431		2433
2432	if ( table + length > valid->limit \|\| length < 10 + 11 * num_selectors )	2434	if ( length > (FT_ULong)( valid->limit - table ) \|\|
		2435	length < 10 + 11 * num_selectors )
2433	FT_INVALID_TOO_SHORT;	2436	FT_INVALID_TOO_SHORT;
2434		2437
2435	/* check selectors, they must be in increasing order */	2438	/* check selectors, they must be in increasing order */
Lines 2491-2497 Link Here
2491	FT_ULong i, lastUni = 0;	2494	FT_ULong i, lastUni = 0;
2492		2495
2493		2496
2494	if ( ndp + numMappings * 4 > valid->limit )	2497	if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
2495	FT_INVALID_TOO_SHORT;	2498	FT_INVALID_TOO_SHORT;
2496		2499
2497	for ( i = 0; i < numMappings; ++i )	2500	for ( i = 0; i < numMappings; ++i )
2498	-- freetype-2.3.9-orig/src/smooth/ftsmooth.c	2501	++ freetype-2.3.9/src/smooth/ftsmooth.c
Lines 153-159 Link Here
153	slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;	153	slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
154	}	154	}
155		155
156	/* allocate new one, depends on pixel format */	156	/* allocate new one */
157	pitch = width;	157	pitch = width;
158	if ( hmul )	158	if ( hmul )
159	{	159	{
Lines 194-199 Link Here
194		194
195	#endif	195	#endif
196		196
		197	if ( pitch > 0xFFFF \|\| height > 0xFFFF )
		198	{
		199	FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
		200	width, height ));
		201	return Smooth_Err_Raster_Overflow;
		202	}
		203
197	bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;	204	bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
198	bitmap->num_grays = 256;	205	bitmap->num_grays = 256;
199	bitmap->width = width;	206	bitmap->width = width;

Return to bug 263032