Attachment #86122 for bug #124828




2006-02-27  David Turner  <david@freetype.org>

    * src/base/ftutil.c: ft_mem_alloc and related functions now return an
    error if a negative size is passed in parameters.

    * src/cache/ftccache.c: make ftc_node_destroy FT_BASE_DEF, it needs to
    be exported for rogue clients
    
    * src/pshinter/pshglob.c: prevent problems with malformed fonts which
    have an odd number of blue values (these are broken according to the
    specs).

    * src/cff/cffload.c, src/type1/t1load.c: modify the loaders to force
    even-ness of 'num_blue_values'. Also change the CFF loader so that
    invalid entries in index files are ignored.

2006-02-27  Chia-I Wu  <b90201047@ntu.edu.tw>

	* src/base/ftobjs.c (FT_Set_Char_Size): Ahh.. forgot to check the case

Lines 66-71 Link Here

(-)a/src/base/ftutil.c (-9 / +45 lines)
66	else	66	else
67	FT_MEM_ZERO( block, size );	67	FT_MEM_ZERO( block, size );
68	}	68	}
		69	else if ( size < 0 )
		70	{
		71	/* may help catch/prevent nasty security issues */
		72	error = FT_Err_Invalid_Argument;
		73	}
69		74
70	*p_error = error;	75	*p_error = error;
71	return block;	76	return block;
Lines 87-92 Link Here
87	if ( block == NULL )	92	if ( block == NULL )
88	error = FT_Err_Out_Of_Memory;	93	error = FT_Err_Out_Of_Memory;
89	}	94	}
		95	else
		96	{
		97	/* may help catch/prevent security issues */
		98	error = FT_Err_Invalid_Argument;
		99	}
90		100
91	*p_error = error;	101	*p_error = error;
92	return block;	102	return block;
Lines 103-114 Link Here
103	FT_Error error = FT_Err_Ok;	113	FT_Error error = FT_Err_Ok;
104		114
105		115
106	if ( size <= 0 )	116	if ( size < 0 \|\| current < 0 )
		117	{
		118	error = FT_Err_Invalid_Argument;
		119	}
		120	else if ( size == 0 )
107	{	121	{
108	ft_mem_free( memory, block );	122	ft_mem_free( memory, block );
109	block = NULL;	123	block = NULL;
110	}	124	}
111	else if ( current <= 0 )	125	else if ( current == 0 )
112	{	126	{
113	FT_ASSERT( block == NULL );	127	FT_ASSERT( block == NULL );
114		128
Lines 145-156 Link Here
145	FT_Error error = FT_Err_Ok;	159	FT_Error error = FT_Err_Ok;
146		160
147		161
148	if ( size <= 0 )	162	if ( size < 0 \|\| current < 0 )
		163	{
		164	error = FT_Err_Invalid_Argument;
		165	}
		166	else if ( size == 0 )
149	{	167	{
150	ft_mem_free( memory, block );	168	ft_mem_free( memory, block );
151	block = NULL;	169	block = NULL;
152	}	170	}
153	else if ( current <= 0 )	171	else if ( current == 0 )
154	{	172	{
155	FT_ASSERT( block == NULL );	173	FT_ASSERT( block == NULL );
156		174
Lines 190-196 Link Here
190	ft_mem_alloc( FT_Memory memory,	208	ft_mem_alloc( FT_Memory memory,
191	FT_Long size,	209	FT_Long size,
192	void* *P )	210	void* *P )
193	{	211	{
		212	FT_Error error = FT_Err_Ok;
		213
194	FT_ASSERT( P != 0 );	214	FT_ASSERT( P != 0 );
195		215
196	if ( size > 0 )	216	if ( size > 0 )
Lines 207-219 Link Here
207	FT_MEM_ZERO( *P, size );	227	FT_MEM_ZERO( *P, size );
208	}	228	}
209	else	229	else
		230	{
210	*P = NULL;	231	*P = NULL;
		232	if ( size < 0 )
		233	error = FT_Err_Invalid_Argument;
		234	}
211		235
212	FT_TRACE7(( "ft_mem_alloc:" ));	236	FT_TRACE7(( "ft_mem_alloc:" ));
213	FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",	237	FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
214	size, *P, P ));	238	size, *P, P ));
215		239
216	return FT_Err_Ok;	240	return error;
217	}	241	}
218		242
219		243
Lines 224-229 Link Here
224	FT_Long size,	248	FT_Long size,
225	void* *P )	249	void* *P )
226	{	250	{
		251	FT_Error error = FT_Err_Ok;
		252
227	FT_ASSERT( P != 0 );	253	FT_ASSERT( P != 0 );
228		254
229	if ( size > 0 )	255	if ( size > 0 )
Lines 239-251 Link Here
239	}	265	}
240	}	266	}
241	else	267	else
		268	{
242	*P = NULL;	269	*P = NULL;
		270	if ( size < 0 )
		271	error = FT_Err_Invalid_Argument;
		272	}
243		273
244	FT_TRACE7(( "ft_mem_qalloc:" ));	274	FT_TRACE7(( "ft_mem_qalloc:" ));
245	FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",	275	FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
246	size, *P, P ));	276	size, *P, P ));
247		277
248	return FT_Err_Ok;	278	return error;
249	}	279	}
250		280
251		281
Lines 267-278 Link Here
267	return ft_mem_alloc( memory, size, P );	297	return ft_mem_alloc( memory, size, P );
268		298
269	/* if the new block if zero-sized, clear the current one */	299	/* if the new block if zero-sized, clear the current one */
270	if ( size <= 0 )	300	if ( size == 0 )
271	{	301	{
272	ft_mem_free( memory, P );	302	ft_mem_free( memory, P );
273	return FT_Err_Ok;	303	return FT_Err_Ok;
274	}	304	}
275		305
		306	if ( size < 0 \|\| current < 0 )
		307	return FT_Err_Invalid_Argument;
		308
276	Q = memory->realloc( memory, current, size, *P );	309	Q = memory->realloc( memory, current, size, *P );
277	if ( !Q )	310	if ( !Q )
278	goto Fail;	311	goto Fail;
Lines 309-320 Link Here
309	return ft_mem_qalloc( memory, size, P );	342	return ft_mem_qalloc( memory, size, P );
310		343
311	/* if the new block if zero-sized, clear the current one */	344	/* if the new block if zero-sized, clear the current one */
312	if ( size <= 0 )	345	if ( size == 0 )
313	{	346	{
314	ft_mem_free( memory, P );	347	ft_mem_free( memory, P );
315	return FT_Err_Ok;	348	return FT_Err_Ok;
316	}	349	}
317		350
		351	if ( size < 0 \|\| current < 0 )
		352	return FT_Err_Invalid_Argument;
		353
318	Q = memory->realloc( memory, current, size, *P );	354	Q = memory->realloc( memory, current, size, *P );
319	if ( !Q )	355	if ( !Q )
320	goto Fail;	356	goto Fail;

Lines 256-262 Link Here

(-)a/src/cache/ftccache.c (-1 / +2 lines)
256		256
257		257
258	/* remove a node from the cache manager */	258	/* remove a node from the cache manager */
259	FT_LOCAL_DEF( void )	259	/* this function is FT_BASE since it may be called by old rogue clients */
		260	FT_BASE_DEF( void )
260	ftc_node_destroy( FTC_Node node,	261	ftc_node_destroy( FTC_Node node,
261	FTC_Manager manager )	262	FTC_Manager manager )
262	{	263	{

Lines 1235-1241 Link Here

(-)a/src/cff/cffload.c (-2 / +5 lines)
1235	}	1235	}
1236		1236
1237	/* access element */	1237	/* access element */
1238	if ( off1 )	1238	if ( off1 && off2 > off1 )
1239	{	1239	{
1240	*pbyte_len = off2 - off1;	1240	*pbyte_len = off2 - off1;
1241		1241
Lines 2011-2017 Link Here
2011		2011
2012	if ( error )	2012	if ( error )
2013	goto Exit;	2013	goto Exit;
2014		2014
2015	/* if it is a CID font, we stop there */	2015	/* if it is a CID font, we stop there */
2016	if ( top->cid_registry != 0xFFFFU )	2016	if ( top->cid_registry != 0xFFFFU )
2017	goto Exit;	2017	goto Exit;
Lines 2040-2045 Link Here
2040	FT_FRAME_EXIT();	2040	FT_FRAME_EXIT();
2041	if ( error )	2041	if ( error )
2042	goto Exit;	2042	goto Exit;
		2043
		2044	/* ensure that 'num_blue_values' is even */
		2045	priv->num_blue_values &= ~1;
2043	}	2046	}
2044		2047
2045	/* read the local subrs, if any */	2048	/* read the local subrs, if any */

Lines 150-156 Link Here

(-)a/src/pshinter/pshglob.c (-1 / +1 lines)
150	FT_UNUSED( target );	150	FT_UNUSED( target );
151		151
152		152
153	for ( ; read_count > 0; read_count -= 2 )	153	for ( ; read_count > 1; read_count -= 2 )
154	{	154	{
155	FT_Int reference, delta;	155	FT_Int reference, delta;
156	FT_UInt count;	156	FT_UInt count;

Lines 1989-1994 Link Here

(-)a/src/type1/t1load.c (+3 lines)
1989	keyword_flags );	1989	keyword_flags );
1990	if ( error )	1990	if ( error )
1991	goto Exit;	1991	goto Exit;
		1992
		1993	/* ensure even-ness of 'num_blue_values' */
		1994	priv->num_blue_values &= ~1;
1992		1995
1993	#ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT	1996	#ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT
1994		1997

Return to bug 124828

Lines 1-3 Link Here

(-)a/ChangeLog (+16 lines)
		1	2006-02-27 David Turner <david@freetype.org>
		2
		3	* src/base/ftutil.c: ft_mem_alloc and related functions now return an
		4	error if a negative size is passed in parameters.
		5
		6	* src/cache/ftccache.c: make ftc_node_destroy FT_BASE_DEF, it needs to
		7	be exported for rogue clients
		8
		9	* src/pshinter/pshglob.c: prevent problems with malformed fonts which
		10	have an odd number of blue values (these are broken according to the
		11	specs).
		12
		13	* src/cff/cffload.c, src/type1/t1load.c: modify the loaders to force
		14	even-ness of 'num_blue_values'. Also change the CFF loader so that
		15	invalid entries in index files are ignored.
		16
1	2006-02-27 Chia-I Wu <b90201047@ntu.edu.tw>	17	2006-02-27 Chia-I Wu <b90201047@ntu.edu.tw>
2		18
3	* src/base/ftobjs.c (FT_Set_Char_Size): Ahh.. forgot to check the case	19	* src/base/ftobjs.c (FT_Set_Char_Size): Ahh.. forgot to check the case