diff -uNr -x '*.orig' freetype-2.1.10/include/freetype/fterrdef.h freetype-2.1.10.mandrk/include/freetype/fterrdef.h --- freetype-2.1.10/include/freetype/fterrdef.h 2004-02-12 09:33:20.000000000 +0100 +++ freetype-2.1.10.mandrk/include/freetype/fterrdef.h 2006-06-20 20:17:22.000000000 +0200 @@ -52,6 +52,8 @@ "broken table" ) FT_ERRORDEF_( Invalid_Offset, 0x09, \ "broken offset within table" ) + FT_ERRORDEF_( Array_Too_Large, 0x0A, \ + "array allocation size too large" ) /* glyph/character errors */ @@ -226,6 +228,8 @@ "`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" ) + FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + "`BBX' too big" ) /* END */ diff -uNr -x '*.orig' freetype-2.1.10/include/freetype/internal/ftmemory.h freetype-2.1.10.mandrk/include/freetype/internal/ftmemory.h --- freetype-2.1.10/include/freetype/internal/ftmemory.h 2005-06-04 07:17:10.000000000 +0200 +++ freetype-2.1.10.mandrk/include/freetype/internal/ftmemory.h 2006-06-20 20:17:22.000000000 +0200 @@ -56,200 +56,130 @@ /*************************************************************************/ /*************************************************************************/ + /* C++ absolutely hates statements like p = (void*)anything; where 'p' is + * a typed pointer. Since we don't have a typeof operator in standard C++, + * we need some really ugly casts, like: + */ + +#ifdef __cplusplus +#define FT_ASSIGNP( p, val ) *((void**)&(p)) = (val) +#else +#define FT_ASSIGNP( p, val ) (p) = (val) +#endif + + #ifdef FT_DEBUG_MEMORY + FT_BASE( const char* ) _ft_debug_file; + FT_BASE( long ) _ft_debug_lineno; + +# define FT_DEBUG_INNER( exp ) ( _ft_debug_file = __FILE__, \ + _ft_debug_lineno = __LINE__, \ + (exp) ) - FT_BASE( FT_Error ) - FT_Alloc_Debug( FT_Memory memory, - FT_Long size, - void* *P, - const char* file_name, - FT_Long line_no ); - - FT_BASE( FT_Error ) - FT_QAlloc_Debug( FT_Memory memory, - FT_Long size, - void* *P, - const char* file_name, - FT_Long line_no ); - - FT_BASE( FT_Error ) - FT_Realloc_Debug( FT_Memory memory, - FT_Long current, - FT_Long size, - void* *P, - const char* file_name, - FT_Long line_no ); - - FT_BASE( FT_Error ) - FT_QRealloc_Debug( FT_Memory memory, - FT_Long current, - FT_Long size, - void* *P, - const char* file_name, - FT_Long line_no ); +# define FT_ASSIGNP_INNER( p, exp ) ( _ft_debug_file = __FILE__, \ + _ft_debug_lineno = __LINE__, \ + FT_ASSIGNP( p, exp ) ) + +#else /* !FT_DEBUG_MEMORY */ + +# define FT_DEBUG_INNER( exp ) (exp) +# define FT_ASSIGNP_INNER( p, exp ) FT_ASSIGNP( p, exp ) + +#endif /* !FT_DEBUG_MEMORY */ + + /* + * The allocation functions return a pointer, and the error code + * is written to through the `p_error' parameter. See below for + * for documentation. + */ + + FT_BASE( FT_Pointer ) + ft_mem_alloc( FT_Memory memory, + FT_Long size, + FT_Error *p_error ); + + FT_BASE( FT_Pointer ) + ft_mem_qalloc( FT_Memory memory, + FT_Long size, + FT_Error *p_error ); + + FT_BASE( FT_Pointer ) + ft_mem_realloc( FT_Memory memory, + FT_Long item_size, + FT_Long cur_count, + FT_Long new_count, + void* block, + FT_Error *p_error ); + + FT_BASE( FT_Pointer ) + ft_mem_qrealloc( FT_Memory memory, + FT_Long item_size, + FT_Long cur_count, + FT_Long new_count, + void* block, + FT_Error *p_error ); FT_BASE( void ) - FT_Free_Debug( FT_Memory memory, - FT_Pointer block, - const char* file_name, - FT_Long line_no ); + ft_mem_free( FT_Memory memory, + const void* P ); -#endif +#define FT_MEM_ALLOC( ptr, size ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_alloc( memory, (size), &error ) ) - /*************************************************************************/ - /* */ - /* */ - /* FT_Alloc */ - /* */ - /* */ - /* Allocates a new block of memory. The returned area is always */ - /* zero-filled; this is a strong convention in many FreeType parts. */ - /* */ - /* */ - /* memory :: A handle to a given `memory object' which handles */ - /* allocation. */ - /* */ - /* size :: The size in bytes of the block to allocate. */ - /* */ - /* */ - /* P :: A pointer to the fresh new block. It should be set to */ - /* NULL if `size' is 0, or in case of error. */ - /* */ - /* */ - /* FreeType error code. 0 means success. */ - /* */ - FT_BASE( FT_Error ) - FT_Alloc( FT_Memory memory, - FT_Long size, - void* *P ); +#define FT_MEM_FREE( ptr ) \ + FT_BEGIN_STMNT \ + ft_mem_free( memory, (ptr) ); \ + (ptr) = NULL; \ + FT_END_STMNT +#define FT_MEM_NEW( ptr ) \ + FT_MEM_ALLOC( ptr, sizeof ( *(ptr) ) ) - /*************************************************************************/ - /* */ - /* */ - /* FT_QAlloc */ - /* */ - /* */ - /* Allocates a new block of memory. The returned area is *not* */ - /* zero-filled, making allocation quicker. */ - /* */ - /* */ - /* memory :: A handle to a given `memory object' which handles */ - /* allocation. */ - /* */ - /* size :: The size in bytes of the block to allocate. */ - /* */ - /* */ - /* P :: A pointer to the fresh new block. It should be set to */ - /* NULL if `size' is 0, or in case of error. */ - /* */ - /* */ - /* FreeType error code. 0 means success. */ - /* */ - FT_BASE( FT_Error ) - FT_QAlloc( FT_Memory memory, - FT_Long size, - void* *p ); +#define FT_MEM_REALLOC( ptr, cursz, newsz ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, 1, \ + (cursz), (newsz), \ + (ptr), &error ) ) +#define FT_MEM_QALLOC( ptr, size ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_qalloc( memory, (size), &error ) ) - /*************************************************************************/ - /* */ - /* */ - /* FT_Realloc */ - /* */ - /* */ - /* Reallocates a block of memory pointed to by `*P' to `Size' bytes */ - /* from the heap, possibly changing `*P'. The returned area is */ - /* zero-filled. */ - /* */ - /* */ - /* memory :: A handle to a given `memory object' which handles */ - /* reallocation. */ - /* */ - /* current :: The current block size in bytes. */ - /* */ - /* size :: The new block size in bytes. */ - /* */ - /* */ - /* P :: A pointer to the fresh new block. It should be set to */ - /* NULL if `size' is 0, or in case of error. */ - /* */ - /* */ - /* FreeType error code. 0 means success. */ - /* */ - /* */ - /* All callers of FT_Realloc() _must_ provide the current block size */ - /* as well as the new one. */ - /* */ - FT_BASE( FT_Error ) - FT_Realloc( FT_Memory memory, - FT_Long current, - FT_Long size, - void* *P ); +#define FT_MEM_QNEW( ptr ) \ + FT_MEM_QALLOC( ptr, sizeof ( *(ptr) ) ) +#define FT_MEM_QREALLOC( ptr, cursz, newsz ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, 1, \ + (cursz), (newsz), \ + (ptr), &error ) ) - /*************************************************************************/ - /* */ - /* */ - /* FT_QRealloc */ - /* */ - /* */ - /* Reallocates a block of memory pointed to by `*P' to `Size' bytes */ - /* from the heap, possibly changing `*P'. The returned area is *not* */ - /* zero-filled, making reallocation quicker. */ - /* */ - /* */ - /* memory :: A handle to a given `memory object' which handles */ - /* reallocation. */ - /* */ - /* current :: The current block size in bytes. */ - /* */ - /* size :: The new block size in bytes. */ - /* */ - /* */ - /* P :: A pointer to the fresh new block. It should be set to */ - /* NULL if `size' is 0, or in case of error. */ - /* */ - /* */ - /* FreeType error code. 0 means success. */ - /* */ - /* */ - /* All callers of FT_Realloc() _must_ provide the current block size */ - /* as well as the new one. */ - /* */ - FT_BASE( FT_Error ) - FT_QRealloc( FT_Memory memory, - FT_Long current, - FT_Long size, - void* *p ); +#define FT_MEM_QRENEW_ARRAY( ptr, cursz, newsz ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, sizeof ( *(ptr) ), \ + (cursz), (newsz), \ + (ptr), &error ) ) +#define FT_MEM_ALLOC_MULT( ptr, count, item_size ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, (item_size), \ + 0, (count), \ + NULL, &error ) ) - /*************************************************************************/ - /* */ - /* */ - /* FT_Free */ - /* */ - /* */ - /* Releases a given block of memory allocated through FT_Alloc(). */ - /* */ - /* */ - /* memory :: A handle to a given `memory object' which handles */ - /* memory deallocation */ - /* */ - /* P :: This is the _address_ of a _pointer_ which points to the */ - /* allocated block. It is always set to NULL on exit. */ - /* */ - /* */ - /* If P or *P is NULL, this function should return successfully. */ - /* This is a strong convention within all of FreeType and its */ - /* drivers. */ - /* */ - FT_BASE( void ) - FT_Free( FT_Memory memory, - void* *P ); +#define FT_MEM_REALLOC_MULT( ptr, oldcnt, newcnt, itmsz ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, (itmsz), \ + (oldcnt), (newcnt), \ + (ptr), &error ) ) + +#define FT_MEM_QALLOC_MULT( ptr, count, item_size ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, (item_size), \ + 0, (count), \ + NULL, &error ) ) + +#define FT_MEM_QREALLOC_MULT( ptr, oldcnt, newcnt, itmsz) \ + FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, (itmsz), \ + (oldcnt), (newcnt), \ + (ptr), &error ) ) +#define FT_MEM_SET_ERROR( cond ) ( (cond), error != 0 ) + #define FT_MEM_SET( dest, byte, count ) ft_memset( dest, byte, count ) #define FT_MEM_COPY( dest, source, count ) ft_memcpy( dest, source, count ) @@ -280,93 +210,76 @@ #define FT_ARRAY_CHECK( ptr, count ) ( (count) <= FT_ARRAY_MAX( ptr ) ) - /*************************************************************************/ /* */ - /* We first define FT_MEM_ALLOC, FT_MEM_REALLOC, and FT_MEM_FREE. All */ - /* macros use an _implicit_ `memory' parameter to access the current */ - /* memory allocator. */ + /* The following functions macros expect that their pointer argument is */ + /* _typed_ in order to automatically compute array element sizes. */ /* */ -#ifdef FT_DEBUG_MEMORY +#define FT_MEM_NEW_ARRAY( ptr, count ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, sizeof ( *(ptr) ), \ + 0, (count), \ + NULL, &error ) ) -#define FT_MEM_ALLOC( _pointer_, _size_ ) \ - FT_Alloc_Debug( memory, _size_, \ - (void**)(void*)&(_pointer_), \ - __FILE__, __LINE__ ) +#define FT_MEM_RENEW_ARRAY( ptr, cursz, newsz ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, sizeof ( *(ptr) ), \ + (cursz), (newsz), \ + (ptr), &error ) ) -#define FT_MEM_REALLOC( _pointer_, _current_, _size_ ) \ - FT_Realloc_Debug( memory, _current_, _size_, \ - (void**)(void*)&(_pointer_), \ - __FILE__, __LINE__ ) +#define FT_MEM_QNEW_ARRAY( ptr, count ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, sizeof ( *(ptr) ), \ + 0, (count), \ + NULL, &error ) ) -#define FT_MEM_QALLOC( _pointer_, _size_ ) \ - FT_QAlloc_Debug( memory, _size_, \ - (void**)(void*)&(_pointer_), \ - __FILE__, __LINE__ ) +#define FT_MEM_QRENEW_ARRAY( ptr, cursz, newsz ) \ + FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, sizeof ( *(ptr) ), \ + (cursz), (newsz), \ + (ptr), &error ) ) -#define FT_MEM_QREALLOC( _pointer_, _current_, _size_ ) \ - FT_QRealloc_Debug( memory, _current_, _size_, \ - (void**)(void*)&(_pointer_), \ - __FILE__, __LINE__ ) +#define FT_ALLOC( ptr, size ) \ + FT_MEM_SET_ERROR( FT_MEM_ALLOC( ptr, size ) ) -#define FT_MEM_FREE( _pointer_ ) \ - FT_Free_Debug( memory, (void**)(void*)&(_pointer_), \ - __FILE__, __LINE__ ) +#define FT_REALLOC( ptr, cursz, newsz ) \ + FT_MEM_SET_ERROR( FT_MEM_REALLOC( ptr, cursz, newsz ) ) +#define FT_ALLOC_MULT( ptr, count, item_size ) \ + FT_MEM_SET_ERROR( FT_MEM_ALLOC_MULT( ptr, count, item_size ) ) -#else /* !FT_DEBUG_MEMORY */ +#define FT_REALLOC_MULT( ptr, oldcnt, newcnt, itmsz ) \ + FT_MEM_SET_ERROR( FT_MEM_REALLOC_MULT( ptr, oldcnt, \ + newcnt, itmsz ) ) +#define FT_QALLOC( ptr, size ) \ + FT_MEM_SET_ERROR( FT_MEM_QALLOC( ptr, size ) ) -#define FT_MEM_ALLOC( _pointer_, _size_ ) \ - FT_Alloc( memory, _size_, \ - (void**)(void*)&(_pointer_) ) +#define FT_QREALLOC( ptr, cursz, newsz ) \ + FT_MEM_SET_ERROR( FT_MEM_QREALLOC( ptr, cursz, newsz ) ) -#define FT_MEM_FREE( _pointer_ ) \ - FT_Free( memory, \ - (void**)(void*)&(_pointer_) ) +#define FT_QALLOC_MULT( ptr, count, item_size ) \ + FT_MEM_SET_ERROR( FT_MEM_QALLOC_MULT( ptr, count, item_size ) ) -#define FT_MEM_REALLOC( _pointer_, _current_, _size_ ) \ - FT_Realloc( memory, _current_, _size_, \ - (void**)(void*)&(_pointer_) ) +#define FT_QREALLOC_MULT( ptr, oldcnt, newcnt, itmsz ) \ + FT_MEM_SET_ERROR( FT_MEM_QREALLOC_MULT( ptr, oldcnt, \ + newcnt, itmsz ) ) -#define FT_MEM_QALLOC( _pointer_, _size_ ) \ - FT_QAlloc( memory, _size_, \ - (void**)(void*)&(_pointer_) ) +#define FT_FREE( ptr ) FT_MEM_FREE( ptr ) -#define FT_MEM_QREALLOC( _pointer_, _current_, _size_ ) \ - FT_QRealloc( memory, _current_, _size_, \ - (void**)(void*)&(_pointer_) ) +#define FT_NEW( ptr ) FT_MEM_SET_ERROR( FT_MEM_NEW( ptr ) ) -#endif /* !FT_DEBUG_MEMORY */ +#define FT_NEW_ARRAY( ptr, count ) \ + FT_MEM_SET_ERROR( FT_MEM_NEW_ARRAY( ptr, count ) ) +#define FT_RENEW_ARRAY( ptr, curcnt, newcnt ) \ + FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) ) - /*************************************************************************/ - /* */ - /* The following functions macros expect that their pointer argument is */ - /* _typed_ in order to automatically compute array element sizes. */ - /* */ - -#define FT_MEM_NEW( _pointer_ ) \ - FT_MEM_ALLOC( _pointer_, sizeof ( *(_pointer_) ) ) - -#define FT_MEM_NEW_ARRAY( _pointer_, _count_ ) \ - FT_MEM_ALLOC( _pointer_, (_count_) * sizeof ( *(_pointer_) ) ) - -#define FT_MEM_RENEW_ARRAY( _pointer_, _old_, _new_ ) \ - FT_MEM_REALLOC( _pointer_, (_old_) * sizeof ( *(_pointer_) ), \ - (_new_) * sizeof ( *(_pointer_) ) ) +#define FT_QNEW( ptr ) \ + FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) ) -#define FT_MEM_QNEW( _pointer_ ) \ - FT_MEM_QALLOC( _pointer_, sizeof ( *(_pointer_) ) ) - -#define FT_MEM_QNEW_ARRAY( _pointer_, _count_ ) \ - FT_MEM_QALLOC( _pointer_, (_count_) * sizeof ( *(_pointer_) ) ) - -#define FT_MEM_QRENEW_ARRAY( _pointer_, _old_, _new_ ) \ - FT_MEM_QREALLOC( _pointer_, (_old_) * sizeof ( *(_pointer_) ), \ - (_new_) * sizeof ( *(_pointer_) ) ) +#define FT_QNEW_ARRAY( ptr, count ) \ + FT_MEM_SET_ERROR( FT_MEM_NEW_ARRAY( ptr, count ) ) +#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \ + FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) ) /*************************************************************************/ /* */ @@ -388,44 +301,6 @@ /* if an error occured (i.e. if 'error != 0'). */ /* */ -#define FT_ALLOC( _pointer_, _size_ ) \ - FT_SET_ERROR( FT_MEM_ALLOC( _pointer_, _size_ ) ) - -#define FT_REALLOC( _pointer_, _current_, _size_ ) \ - FT_SET_ERROR( FT_MEM_REALLOC( _pointer_, _current_, _size_ ) ) - -#define FT_QALLOC( _pointer_, _size_ ) \ - FT_SET_ERROR( FT_MEM_QALLOC( _pointer_, _size_ ) ) - -#define FT_QREALLOC( _pointer_, _current_, _size_ ) \ - FT_SET_ERROR( FT_MEM_QREALLOC( _pointer_, _current_, _size_ ) ) - - -#define FT_FREE( _pointer_ ) \ - FT_MEM_FREE( _pointer_ ) - - -#define FT_NEW( _pointer_ ) \ - FT_ALLOC( _pointer_, sizeof ( *(_pointer_) ) ) - -#define FT_NEW_ARRAY( _pointer_, _count_ ) \ - FT_ALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_count_) ) - -#define FT_RENEW_ARRAY( _pointer_, _old_, _new_ ) \ - FT_REALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_old_), \ - sizeof ( *(_pointer_) ) * (_new_) ) - -#define FT_QNEW( _pointer_ ) \ - FT_QALLOC( _pointer_, sizeof ( *(_pointer_) ) ) - -#define FT_QNEW_ARRAY( _pointer_, _count_ ) \ - FT_QALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_count_) ) - -#define FT_QRENEW_ARRAY( _pointer_, _old_, _new_ ) \ - FT_QREALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_old_), \ - sizeof ( *(_pointer_) ) * (_new_) ) - - #define FT_ALLOC_ARRAY( _pointer_, _count_, _type_ ) \ FT_ALLOC( _pointer_, (_count_) * sizeof ( _type_ ) ) diff -uNr -x '*.orig' freetype-2.1.10/include/freetype/internal/ftstream.h freetype-2.1.10.mandrk/include/freetype/internal/ftstream.h --- freetype-2.1.10/include/freetype/internal/ftstream.h 2005-03-16 02:13:31.000000000 +0100 +++ freetype-2.1.10.mandrk/include/freetype/internal/ftstream.h 2006-06-20 20:17:22.000000000 +0200 @@ -514,18 +514,21 @@ FT_SET_ERROR( FT_Stream_ReadFields( stream, fields, object ) ) -#define FT_FRAME_ENTER( size ) \ - FT_SET_ERROR( FT_Stream_EnterFrame( stream, size ) ) +#define FT_FRAME_ENTER( size ) \ + FT_SET_ERROR( \ + FT_DEBUG_INNER( FT_Stream_EnterFrame( stream, size ) ) ) #define FT_FRAME_EXIT() \ - FT_Stream_ExitFrame( stream ) + FT_DEBUG_INNER( FT_Stream_ExitFrame( stream ) ) -#define FT_FRAME_EXTRACT( size, bytes ) \ - FT_SET_ERROR( FT_Stream_ExtractFrame( stream, size, \ - (FT_Byte**)&(bytes) ) ) - -#define FT_FRAME_RELEASE( bytes ) \ - FT_Stream_ReleaseFrame( stream, (FT_Byte**)&(bytes) ) +#define FT_FRAME_EXTRACT( size, bytes ) \ + FT_SET_ERROR( \ + FT_DEBUG_INNER( FT_Stream_ExtractFrame( stream, size, \ + (FT_Byte**)&(bytes) ) ) ) + +#define FT_FRAME_RELEASE( bytes ) \ + FT_DEBUG_INNER( FT_Stream_ReleaseFrame( stream, \ + (FT_Byte**)&(bytes) ) ) FT_END_HEADER diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftbitmap.c freetype-2.1.10.mandrk/src/base/ftbitmap.c --- freetype-2.1.10/src/base/ftbitmap.c 2005-05-30 15:53:09.000000000 +0200 +++ freetype-2.1.10.mandrk/src/base/ftbitmap.c 2006-06-20 20:17:22.000000000 +0200 @@ -165,7 +165,7 @@ new_pitch = ( bitmap->width + xpixels + ppb - 1 ) / ppb; - if ( FT_ALLOC( buffer, new_pitch * ( bitmap->rows + ypixels ) ) ) + if ( FT_QALLOC_MULT( buffer, new_pitch, bitmap->rows + ypixels ) ) return error; if ( bitmap->pitch > 0 ) diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftdbgmem.c freetype-2.1.10.mandrk/src/base/ftdbgmem.c --- freetype-2.1.10/src/base/ftdbgmem.c 2005-03-03 12:34:15.000000000 +0100 +++ freetype-2.1.10.mandrk/src/base/ftdbgmem.c 2006-06-20 20:17:22.000000000 +0200 @@ -36,6 +36,8 @@ #include #include + FT_BASE_DEF( const char* ) _ft_debug_file = 0; + FT_BASE_DEF( long ) _ft_debug_lineno = 0; extern void FT_DumpMemory( FT_Memory memory ); @@ -48,7 +50,11 @@ #define FT_MEM_VAL( addr ) ((FT_ULong)(FT_Pointer)( addr )) - + /* + * This structure holds statistics for a single allocation/release + * site. This is useful to know where memory operations happen the + * most. + */ typedef struct FT_MemSourceRec_ { const char* file_name; @@ -76,7 +82,13 @@ */ #define FT_MEM_SOURCE_BUCKETS 128 - + /* + * This structure holds information related to a single allocated + * memory block. If KEEPALIVE is defined, blocks that are freed by + * FreeType are never released to the system. Instead, their `size' + * field is set to -size. This is mainly useful to detect double frees, + * at the price of large memory footprint during execution. + */ typedef struct FT_MemNodeRec_ { FT_Byte* address; @@ -94,6 +106,10 @@ } FT_MemNodeRec; + /* + * The global structure, containing compound statistics and all hash + * tables. + */ typedef struct FT_MemTableRec_ { FT_ULong size; @@ -113,9 +129,6 @@ FT_MemSource sources[FT_MEM_SOURCE_BUCKETS]; - const char* file_name; - FT_Long line_no; - FT_Bool keep_alive; FT_Memory memory; @@ -446,8 +459,8 @@ FT_MemSource node, *pnode; - hash = (FT_UInt32)(void*)table->file_name + - (FT_UInt32)( 5 * table->line_no ); + hash = (FT_UInt32)(void*)_ft_debug_file + + (FT_UInt32)( 5 * _ft_debug_lineno ); pnode = &table->sources[hash % FT_MEM_SOURCE_BUCKETS]; for ( ;; ) @@ -456,8 +469,8 @@ if ( node == NULL ) break; - if ( node->file_name == table->file_name && - node->line_no == table->line_no ) + if ( node->file_name == _ft_debug_file && + node->line_no == _ft_debug_lineno ) goto Exit; pnode = &node->link; @@ -468,8 +481,8 @@ ft_mem_debug_panic( "not enough memory to perform memory debugging\n" ); - node->file_name = table->file_name; - node->line_no = table->line_no; + node->file_name = _ft_debug_file; + node->line_no = _ft_debug_lineno; node->cur_blocks = 0; node->max_blocks = 0; @@ -525,7 +538,7 @@ "org=%s:%d new=%s:%d\n", node->address, node->size, FT_FILENAME( node->source->file_name ), node->source->line_no, - FT_FILENAME( table->file_name ), table->line_no ); + FT_FILENAME( _ft_debug_file ), _ft_debug_lineno ); } } @@ -593,7 +606,7 @@ "freeing memory block at %p more than once at (%s:%ld)\n" "block allocated at (%s:%ld) and released at (%s:%ld)", address, - FT_FILENAME( table->file_name ), table->line_no, + FT_FILENAME( _ft_debug_file ), _ft_debug_lineno, FT_FILENAME( node->source->file_name ), node->source->line_no, FT_FILENAME( node->free_file_name ), node->free_line_no ); @@ -611,8 +624,8 @@ /* we simply invert the node's size to indicate that the node */ /* was freed. */ node->size = -node->size; - node->free_file_name = table->file_name; - node->free_line_no = table->line_no; + node->free_file_name = _ft_debug_file; + node->free_line_no = _ft_debug_lineno; } else { @@ -634,7 +647,7 @@ ft_mem_debug_panic( "trying to free unknown block at %p in (%s:%ld)\n", address, - FT_FILENAME( table->file_name ), table->line_no ); + FT_FILENAME( _ft_debug_file ), _ft_debug_lineno ); } } @@ -657,7 +670,7 @@ /* return NULL if this allocation would overflow the maximum heap size */ if ( table->bound_total && - table->alloc_current + (FT_ULong)size > table->alloc_total_max ) + table->alloc_total_max - table->alloc_current > (FT_ULong)size ) return NULL; block = (FT_Byte *)ft_mem_table_alloc( table, size ); @@ -666,8 +679,8 @@ table->alloc_count++; - table->file_name = NULL; - table->line_no = 0; + _ft_debug_file = ""; + _ft_debug_lineno = 0; return (FT_Pointer)block; } @@ -682,8 +695,8 @@ if ( block == NULL ) ft_mem_debug_panic( "trying to free NULL in (%s:%ld)", - FT_FILENAME( table->file_name ), - table->line_no ); + FT_FILENAME( _ft_debug_file ), + _ft_debug_lineno ); ft_mem_table_remove( table, (FT_Byte*)block ); @@ -692,8 +705,8 @@ table->alloc_count--; - table->file_name = NULL; - table->line_no = 0; + _ft_debug_file = ""; + _ft_debug_lineno = 0; } @@ -707,8 +720,8 @@ FT_MemNode node, *pnode; FT_Pointer new_block; - const char* file_name = FT_FILENAME( table->file_name ); - FT_Long line_no = table->line_no; + const char* file_name = FT_FILENAME( _ft_debug_file ); + FT_Long line_no = _ft_debug_lineno; /* the following is valid according to ANSI C */ diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftmac.c freetype-2.1.10.mandrk/src/base/ftmac.c --- freetype-2.1.10/src/base/ftmac.c 2004-08-28 10:02:46.000000000 +0200 +++ freetype-2.1.10.mandrk/src/base/ftmac.c 2006-06-20 20:17:22.000000000 +0200 @@ -430,6 +430,7 @@ short res_id; unsigned char *buffer, *p, *size_p = NULL; FT_ULong total_size = 0; + FT_ULong old_total_size = 0; FT_ULong post_size, pfb_chunk_size; Handle post_data; char code, last_code; @@ -460,6 +461,15 @@ total_size += GetHandleSize( post_data ) - 2; last_code = code; + + /* detect integer overflows */ + if ( total_size < old_total_size ) + { + error = FT_Err_Array_Too_Large; + goto Error; + } + + old_total_size = total_size; } if ( FT_ALLOC( buffer, (FT_Long)total_size ) ) diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftobjs.c freetype-2.1.10.mandrk/src/base/ftobjs.c --- freetype-2.1.10/src/base/ftobjs.c 2005-06-06 08:22:42.000000000 +0200 +++ freetype-2.1.10.mandrk/src/base/ftobjs.c 2006-06-20 20:17:21.000000000 +0200 @@ -267,14 +267,15 @@ FT_ULong size ) { FT_Memory memory = FT_FACE_MEMORY( slot->face ); - + FT_Error error; if ( slot->internal->flags & FT_GLYPH_OWN_BITMAP ) FT_FREE( slot->bitmap.buffer ); else slot->internal->flags |= FT_GLYPH_OWN_BITMAP; - return FT_MEM_ALLOC( slot->bitmap.buffer, size ); + (void)FT_ALLOC( slot->bitmap.buffer, size ); + return error; } diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftrfork.c freetype-2.1.10.mandrk/src/base/ftrfork.c --- freetype-2.1.10/src/base/ftrfork.c 2005-05-22 07:46:10.000000000 +0200 +++ freetype-2.1.10.mandrk/src/base/ftrfork.c 2006-06-20 20:17:22.000000000 +0200 @@ -179,7 +179,7 @@ if ( error ) return error; - if ( FT_ALLOC( offsets_internal, *count * sizeof( FT_Long ) ) ) + if ( FT_NEW_ARRAY( offsets_internal, *count ) ) return error; for ( j = 0; j < *count; ++j ) @@ -426,20 +426,25 @@ FT_Error error; char* newpath; FT_Memory memory; + FT_Long base_file_len = ft_strlen( base_file_name ); FT_UNUSED( stream ); memory = library->memory; - if ( FT_ALLOC( newpath, - ft_strlen( base_file_name ) + ft_strlen( "/rsrc" ) + 1 ) ) + if ( base_file_len > FT_INT_MAX ) + return FT_Err_Array_Too_Large; + + if ( FT_ALLOC( newpath, base_file_len + 6 ) ) return error; - ft_strcpy( newpath, base_file_name ); - ft_strcat( newpath, "/rsrc" ); + FT_MEM_COPY( newpath, base_file_name, base_file_len ); + FT_MEM_COPY( newpath + base_file_len, "/rsrc", 6 ); + *result_file_name = newpath; - *result_offset = 0; + *result_offset = 0; + return FT_Err_Ok; } diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftstream.c freetype-2.1.10.mandrk/src/base/ftstream.c --- freetype-2.1.10/src/base/ftstream.c 2005-03-16 02:15:07.000000000 +0100 +++ freetype-2.1.10.mandrk/src/base/ftstream.c 2006-06-20 20:17:21.000000000 +0200 @@ -212,8 +212,12 @@ { FT_Memory memory = stream->memory; - +#ifdef FT_DEBUG_MEMORY + ft_mem_free( memory, *pbytes ); + *pbytes = NULL; +#else FT_FREE( *pbytes ); +#endif } *pbytes = 0; } @@ -235,10 +239,15 @@ /* allocate the frame in memory */ FT_Memory memory = stream->memory; - +#ifdef FT_DEBUG_MEMORY + /* assume _ft_debug_file and _ft_debug_lineno are already set */ + stream->base = (unsigned char*)ft_mem_qalloc( memory, count, &error ); + if ( error ) + goto Exit; +#else if ( FT_QALLOC( stream->base, count ) ) goto Exit; - +#endif /* read it */ read_bytes = stream->read( stream, stream->pos, stream->base, count ); @@ -298,8 +307,12 @@ { FT_Memory memory = stream->memory; - +#ifdef FT_DEBUG_MEMORY + ft_mem_free( memory, stream->base ); + stream->base = NULL; +#else FT_FREE( stream->base ); +#endif } stream->cursor = 0; stream->limit = 0; diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftutil.c freetype-2.1.10.mandrk/src/base/ftutil.c --- freetype-2.1.10/src/base/ftutil.c 2005-03-03 23:59:06.000000000 +0100 +++ freetype-2.1.10.mandrk/src/base/ftutil.c 2006-06-20 20:17:22.000000000 +0200 @@ -45,167 +45,126 @@ /*************************************************************************/ /*************************************************************************/ - /* documentation is in ftmemory.h */ - FT_BASE_DEF( FT_Error ) - FT_Alloc( FT_Memory memory, - FT_Long size, - void* *P ) + FT_BASE_DEF( FT_Pointer ) + ft_mem_alloc( FT_Memory memory, + FT_Long size, + FT_Error *p_error ) { - FT_ASSERT( P != 0 ); + FT_Error error; + FT_Pointer block = ft_mem_qalloc( memory, size, &error ); - if ( size > 0 ) - { - *P = memory->alloc( memory, size ); - if ( !*P ) - { - FT_ERROR(( "FT_Alloc:" )); - FT_ERROR(( " Out of memory? (%ld requested)\n", - size )); - - return FT_Err_Out_Of_Memory; - } - FT_MEM_ZERO( *P, size ); - } - else - *P = NULL; - - FT_TRACE7(( "FT_Alloc:" )); - FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n", - size, *P, P )); + if ( !error && size > 0 ) + FT_MEM_ZERO( block, size ); - return FT_Err_Ok; + *p_error = error; + return block; } - /* documentation is in ftmemory.h */ - - FT_BASE_DEF( FT_Error ) - FT_QAlloc( FT_Memory memory, - FT_Long size, - void* *P ) + FT_BASE_DEF( FT_Pointer ) + ft_mem_qalloc( FT_Memory memory, + FT_Long size, + FT_Error *p_error ) { - FT_ASSERT( P != 0 ); + FT_Error error = FT_Err_Ok; + FT_Pointer block = NULL; + if ( size > 0 ) { - *P = memory->alloc( memory, size ); - if ( !*P ) - { - FT_ERROR(( "FT_QAlloc:" )); - FT_ERROR(( " Out of memory? (%ld requested)\n", - size )); - - return FT_Err_Out_Of_Memory; - } + block = memory->alloc( memory, size ); + if ( block == NULL ) + error = FT_Err_Out_Of_Memory; + } + else if ( size < 0 ) + { + /* may help catch/prevent security issues */ + error = FT_Err_Invalid_Argument; } - else - *P = NULL; - - FT_TRACE7(( "FT_QAlloc:" )); - FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n", - size, *P, P )); - return FT_Err_Ok; + *p_error = error; + return block; } - /* documentation is in ftmemory.h */ - - FT_BASE_DEF( FT_Error ) - FT_Realloc( FT_Memory memory, - FT_Long current, - FT_Long size, - void** P ) + FT_BASE_DEF( FT_Pointer ) + ft_mem_realloc( FT_Memory memory, + FT_Long item_size, + FT_Long cur_count, + FT_Long new_count, + void* block, + FT_Error *p_error ) { - void* Q; - - - FT_ASSERT( P != 0 ); + FT_Error error = FT_Err_Ok; - /* if the original pointer is NULL, call FT_Alloc() */ - if ( !*P ) - return FT_Alloc( memory, size, P ); + block = ft_mem_qrealloc( memory, item_size, + cur_count, new_count, block, &error ); + if ( !error && new_count > cur_count ) + FT_MEM_ZERO( (char*)block + cur_count * item_size, + ( new_count - cur_count ) * item_size ); - /* if the new block if zero-sized, clear the current one */ - if ( size <= 0 ) - { - FT_Free( memory, P ); - return FT_Err_Ok; - } - - Q = memory->realloc( memory, current, size, *P ); - if ( !Q ) - goto Fail; - - if ( size > current ) - FT_MEM_ZERO( (char*)Q + current, size - current ); - - *P = Q; - return FT_Err_Ok; - - Fail: - FT_ERROR(( "FT_Realloc:" )); - FT_ERROR(( " Failed (current %ld, requested %ld)\n", - current, size )); - return FT_Err_Out_Of_Memory; + *p_error = error; + return block; } - /* documentation is in ftmemory.h */ - - FT_BASE_DEF( FT_Error ) - FT_QRealloc( FT_Memory memory, - FT_Long current, - FT_Long size, - void** P ) + FT_BASE_DEF( FT_Pointer ) + ft_mem_qrealloc( FT_Memory memory, + FT_Long item_size, + FT_Long cur_count, + FT_Long new_count, + void* block, + FT_Error *p_error ) { - void* Q; - - - FT_ASSERT( P != 0 ); + FT_Error error = FT_Err_Ok; - /* if the original pointer is NULL, call FT_QAlloc() */ - if ( !*P ) - return FT_QAlloc( memory, size, P ); - /* if the new block if zero-sized, clear the current one */ - if ( size <= 0 ) + if ( cur_count < 0 || new_count < 0 || item_size <= 0 ) { - FT_Free( memory, P ); - return FT_Err_Ok; + /* may help catch/prevent nasty security issues */ + error = FT_Err_Invalid_Argument; } + else if ( new_count == 0 ) + { + ft_mem_free( memory, block ); + block = NULL; + } + else if ( new_count > FT_INT_MAX/item_size ) + { + error = FT_Err_Array_Too_Large; + } + else if ( cur_count == 0 ) + { + FT_ASSERT( block == NULL ); - Q = memory->realloc( memory, current, size, *P ); - if ( !Q ) - goto Fail; + block = ft_mem_alloc( memory, new_count*item_size, &error ); + } + else + { + FT_Pointer block2; + FT_Long cur_size = cur_count*item_size; + FT_Long new_size = new_count*item_size; - *P = Q; - return FT_Err_Ok; - Fail: - FT_ERROR(( "FT_QRealloc:" )); - FT_ERROR(( " Failed (current %ld, requested %ld)\n", - current, size )); - return FT_Err_Out_Of_Memory; - } + block2 = memory->realloc( memory, cur_size, new_size, block ); + if ( block2 == NULL ) + error = FT_Err_Out_Of_Memory; + else + block = block2; + } + *p_error = error; + return block; + } - /* documentation is in ftmemory.h */ FT_BASE_DEF( void ) - FT_Free( FT_Memory memory, - void** P ) + ft_mem_free( FT_Memory memory, + const void *P ) { - FT_TRACE7(( "FT_Free:" )); - FT_TRACE7(( " Freeing block 0x%08p, ref 0x%08p\n", - P, P ? *P : (void*)0 )); - - if ( P && *P ) - { - memory->free( memory, *P ); - *P = 0; - } + if ( P ) + memory->free( memory, (void*)P ); } @@ -399,7 +358,7 @@ } - FT_BASE( FT_UInt32 ) + FT_BASE_DEF( FT_UInt32 ) ft_highpow2( FT_UInt32 value ) { FT_UInt32 value2; @@ -421,4 +380,70 @@ } +#ifdef FT_CONFIG_OPTION_OLD_INTERNALS + + FT_BASE_DEF( FT_Error ) + FT_Alloc( FT_Memory memory, + FT_Long size, + void* *P ) + { + FT_Error error; + + + (void)FT_ALLOC( *P, size ); + return error; + } + + + FT_BASE_DEF( FT_Error ) + FT_QAlloc( FT_Memory memory, + FT_Long size, + void* *p ) + { + FT_Error error; + + + (void)FT_QALLOC( *p, size ); + return error; + } + + + FT_BASE_DEF( FT_Error ) + FT_Realloc( FT_Memory memory, + FT_Long current, + FT_Long size, + void* *P ) + { + FT_Error error; + + + (void)FT_REALLOC( *P, current, size ); + return error; + } + + + FT_BASE_DEF( FT_Error ) + FT_QRealloc( FT_Memory memory, + FT_Long current, + FT_Long size, + void* *p ) + { + FT_Error error; + + + (void)FT_QREALLOC( *p, current, size ); + return error; + } + + + FT_BASE_DEF( void ) + FT_Free( FT_Memory memory, + void* *P ) + { + if ( *P ) + FT_MEM_FREE( *P ); + } + +#endif /* FT_CONFIG_OPTION_OLD_INTERNALS */ + /* END */ diff -uNr -x '*.orig' freetype-2.1.10/src/bdf/bdflib.c freetype-2.1.10.mandrk/src/bdf/bdflib.c --- freetype-2.1.10/src/bdf/bdflib.c 2005-05-21 19:19:52.000000000 +0200 +++ freetype-2.1.10.mandrk/src/bdf/bdflib.c 2006-06-20 20:17:17.000000000 +0200 @@ -1092,6 +1092,7 @@ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" +#define ERRMSG4 "[line %ld] BBX too big.\n" static FT_Error @@ -1561,6 +1562,14 @@ p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 ); + /* Check that the encoding is in the range [0,65536] because */ + /* otherwise p->have (a bitmap with static size) overflows. */ + if ( p->glyph_enc >= sizeof(p->have)*8 ) + { + error = BDF_Err_Invalid_File_Format; + goto Exit; + } + /* Check to see whether this encoding has already been encountered. */ /* If it has then change it to unencoded so it gets added if */ /* indicated. */ @@ -1805,6 +1814,8 @@ /* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) { + unsigned long bitmap_size; + if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */ @@ -1815,7 +1826,16 @@ /* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; - glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); + + bitmap_size = glyph->bpr * glyph->bbx.height; + if ( bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; + goto Exit; + } + else + glyph->bytes = (unsigned short)bitmap_size; if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit; diff -uNr -x '*.orig' freetype-2.1.10/src/cache/ftccache.c freetype-2.1.10.mandrk/src/cache/ftccache.c --- freetype-2.1.10/src/cache/ftccache.c 2005-05-23 23:24:16.000000000 +0200 +++ freetype-2.1.10.mandrk/src/cache/ftccache.c 2006-06-20 20:17:29.000000000 +0200 @@ -100,10 +100,10 @@ if ( p >= mask ) { FT_Memory memory = cache->memory; - + FT_Error error; /* if we can't expand the array, leave immediately */ - if ( FT_MEM_RENEW_ARRAY( cache->buckets, (mask+1)*2, (mask+1)*4 ) ) + if ( FT_RENEW_ARRAY( cache->buckets, (mask+1)*2, (mask+1)*4 ) ) break; } @@ -152,10 +152,10 @@ if ( p == 0 ) { FT_Memory memory = cache->memory; - + FT_Error error; /* if we can't shrink the array, leave immediately */ - if ( FT_MEM_RENEW_ARRAY( cache->buckets, + if ( FT_RENEW_ARRAY( cache->buckets, ( mask + 1 ) * 2, mask + 1 ) ) break; @@ -246,7 +246,8 @@ /* remove a node from the cache manager */ - FT_EXPORT_DEF( void ) + /* this function is FT_BASE since it may be called by old rogue clients */ + FT_BASE_DEF( void ) ftc_node_destroy( FTC_Node node, FTC_Manager manager ) { @@ -312,13 +313,15 @@ ftc_cache_init( FTC_Cache cache ) { FT_Memory memory = cache->memory; + FT_Error error; cache->p = 0; cache->mask = FTC_HASH_INITIAL_SIZE - 1; cache->slack = FTC_HASH_INITIAL_SIZE * FTC_HASH_MAX_LOAD; - return ( FT_MEM_NEW_ARRAY( cache->buckets, FTC_HASH_INITIAL_SIZE * 2 ) ); + (void)FT_NEW_ARRAY( cache->buckets, FTC_HASH_INITIAL_SIZE * 2 ); + return error; } diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cffgload.c freetype-2.1.10.mandrk/src/cff/cffgload.c --- freetype-2.1.10/src/cff/cffgload.c 2005-04-18 06:53:05.000000000 +0200 +++ freetype-2.1.10.mandrk/src/cff/cffgload.c 2006-06-20 20:17:17.000000000 +0200 @@ -2284,7 +2284,7 @@ FT_LOCAL_DEF( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ) { FT_Error error; @@ -2330,7 +2330,7 @@ error = sfnt->load_sbit_image( face, (FT_ULong)size->strike_index, - (FT_UInt)glyph_index, + glyph_index, (FT_Int)load_flags, stream, &glyph->root.bitmap, @@ -2393,7 +2393,12 @@ /* subsetted font, glyph_indices and CIDs are identical, though */ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && cff->charset.cids ) - glyph_index = cff->charset.cids[glyph_index]; + { + if ( glyph_index < cff->charset.max_cid ) + glyph_index = cff->charset.cids[glyph_index]; + else + glyph_index = 0; + } cff_decoder_init( &decoder, face, size, glyph, hinting, FT_LOAD_TARGET_MODE( load_flags ) ); diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cffgload.h freetype-2.1.10.mandrk/src/cff/cffgload.h --- freetype-2.1.10/src/cff/cffgload.h 2004-05-13 23:59:17.000000000 +0200 +++ freetype-2.1.10.mandrk/src/cff/cffgload.h 2006-06-20 20:17:17.000000000 +0200 @@ -196,7 +196,7 @@ FT_LOCAL( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ); diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cffload.c freetype-2.1.10.mandrk/src/cff/cffload.c --- freetype-2.1.10/src/cff/cffload.c 2005-05-06 07:49:46.000000000 +0200 +++ freetype-2.1.10.mandrk/src/cff/cffload.c 2006-06-20 20:17:29.000000000 +0200 @@ -1235,7 +1235,7 @@ } /* access element */ - if ( off1 ) + if ( off1 && off2 > off1 ) { *pbyte_len = off2 - off1; @@ -1688,6 +1688,8 @@ for ( i = 0; i < num_glyphs; i++ ) charset->cids[charset->sids[i]] = (FT_UShort)i; + + charset->max_cid = max_cid; } Exit: @@ -2011,7 +2013,7 @@ if ( error ) goto Exit; - + /* if it is a CID font, we stop there */ if ( top->cid_registry != 0xFFFFU ) goto Exit; @@ -2040,6 +2042,9 @@ FT_FRAME_EXIT(); if ( error ) goto Exit; + + /* ensure that 'num_blue_values' is even */ + priv->num_blue_values &= ~1; } /* read the local subrs, if any */ @@ -2293,8 +2298,6 @@ { for ( idx = 0; idx < font->num_subfonts; idx++ ) cff_subfont_done( memory, font->subfonts[idx] ); - - FT_FREE( font->subfonts ); } cff_encoding_done( &font->encoding ); diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cfftypes.h freetype-2.1.10.mandrk/src/cff/cfftypes.h --- freetype-2.1.10/src/cff/cfftypes.h 2003-12-20 08:30:05.000000000 +0100 +++ freetype-2.1.10.mandrk/src/cff/cfftypes.h 2006-06-20 20:17:17.000000000 +0200 @@ -84,6 +84,7 @@ FT_UShort* sids; FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ /* for CID-keyed fonts */ + FT_UInt max_cid; } CFF_CharsetRec, *CFF_Charset; diff -uNr -x '*.orig' freetype-2.1.10/src/gzip/ftgzip.c freetype-2.1.10.mandrk/src/gzip/ftgzip.c --- freetype-2.1.10/src/gzip/ftgzip.c 2005-03-16 02:35:17.000000000 +0100 +++ freetype-2.1.10.mandrk/src/gzip/ftgzip.c 2006-06-20 20:17:22.000000000 +0200 @@ -99,12 +99,12 @@ uInt size ) { FT_ULong sz = (FT_ULong)size * items; + FT_Error error; FT_Pointer p; - FT_MEM_ALLOC( p, sz ); - - return (voidpf) p; + (void)FT_ALLOC( p, sz ); + return p; } diff -uNr -x '*.orig' freetype-2.1.10/src/pcf/pcfdrivr.c freetype-2.1.10.mandrk/src/pcf/pcfdrivr.c --- freetype-2.1.10/src/pcf/pcfdrivr.c 2004-07-28 02:09:02.000000000 +0200 +++ freetype-2.1.10.mandrk/src/pcf/pcfdrivr.c 2006-06-20 20:17:21.000000000 +0200 @@ -213,7 +213,7 @@ FT_FREE( prop->name ); if ( prop->isString ) - FT_FREE( prop->value ); + FT_FREE( prop->value.atom ); } FT_FREE( face->properties ); diff -uNr -x '*.orig' freetype-2.1.10/src/pshinter/pshglob.c freetype-2.1.10.mandrk/src/pshinter/pshglob.c --- freetype-2.1.10/src/pshinter/pshglob.c 2004-04-02 09:13:53.000000000 +0200 +++ freetype-2.1.10.mandrk/src/pshinter/pshglob.c 2006-06-20 20:17:29.000000000 +0200 @@ -150,7 +150,7 @@ FT_UNUSED( target ); - for ( ; read_count > 0; read_count -= 2 ) + for ( ; read_count > 1; read_count -= 2 ) { FT_Int reference, delta; FT_UInt count; diff -uNr -x '*.orig' freetype-2.1.10/src/raster/ftrend1.c freetype-2.1.10.mandrk/src/raster/ftrend1.c --- freetype-2.1.10/src/raster/ftrend1.c 2005-05-11 17:01:49.000000000 +0200 +++ freetype-2.1.10.mandrk/src/raster/ftrend1.c 2006-06-20 20:17:22.000000000 +0200 @@ -175,7 +175,7 @@ bitmap->rows = height; bitmap->pitch = pitch; - if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) ) + if ( FT_ALLOC_MULT( bitmap->buffer, pitch, height ) ) goto Exit; slot->internal->flags |= FT_GLYPH_OWN_BITMAP; diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/sfobjs.c freetype-2.1.10.mandrk/src/sfnt/sfobjs.c --- freetype-2.1.10/src/sfnt/sfobjs.c 2005-05-21 19:22:28.000000000 +0200 +++ freetype-2.1.10.mandrk/src/sfnt/sfobjs.c 2006-06-20 20:17:22.000000000 +0200 @@ -47,11 +47,12 @@ FT_String* string; FT_UInt len, code, n; FT_Byte* read = (FT_Byte*)entry->string; - + FT_Error error; + len = (FT_UInt)entry->stringLength / 2; - if ( FT_MEM_NEW_ARRAY( string, len + 1 ) ) + if ( FT_NEW_ARRAY( string, len + 1 ) ) return NULL; for ( n = 0; n < len; n++ ) @@ -77,11 +78,12 @@ FT_String* string; FT_UInt len, code, n; FT_Byte* read = (FT_Byte*)entry->string; - + FT_Error error; + len = (FT_UInt)entry->stringLength / 4; - if ( FT_MEM_NEW_ARRAY( string, len + 1 ) ) + if ( FT_NEW_ARRAY( string, len + 1 ) ) return NULL; for ( n = 0; n < len; n++ ) @@ -107,11 +109,12 @@ FT_String* string; FT_UInt len, code, n; FT_Byte* read = (FT_Byte*)entry->string; - + FT_Error error; + len = (FT_UInt)entry->stringLength; - if ( FT_MEM_NEW_ARRAY( string, len + 1 ) ) + if ( FT_NEW_ARRAY( string, len + 1 ) ) return NULL; for ( n = 0; n < len; n++ ) diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/ttcmap.c freetype-2.1.10.mandrk/src/sfnt/ttcmap.c --- freetype-2.1.10/src/sfnt/ttcmap.c 2005-05-11 16:37:40.000000000 +0200 +++ freetype-2.1.10.mandrk/src/sfnt/ttcmap.c 2006-06-20 20:17:17.000000000 +0200 @@ -2144,9 +2144,7 @@ charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ offset = TT_NEXT_ULONG( p ); - if ( offset && - table + offset + 2 < limit && - table + offset >= table ) + if ( offset && offset <= face->cmap_size - 2 ) { FT_Byte* cmap = table + offset; volatile FT_UInt format = TT_PEEK_USHORT( cmap ); diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/ttpost.c freetype-2.1.10.mandrk/src/sfnt/ttpost.c --- freetype-2.1.10/src/sfnt/ttpost.c 2003-10-29 22:43:51.000000000 +0100 +++ freetype-2.1.10.mandrk/src/sfnt/ttpost.c 2006-06-20 20:17:22.000000000 +0200 @@ -292,7 +292,7 @@ goto Exit; } - if ( FT_ALLOC( offset_table, num_glyphs ) || + if ( FT_NEW_ARRAY( offset_table, num_glyphs ) || FT_STREAM_READ( offset_table, num_glyphs ) ) goto Fail; diff -uNr -x '*.orig' freetype-2.1.10/src/truetype/ttgxvar.c freetype-2.1.10.mandrk/src/truetype/ttgxvar.c --- freetype-2.1.10/src/truetype/ttgxvar.c 2005-05-22 07:49:48.000000000 +0200 +++ freetype-2.1.10.mandrk/src/truetype/ttgxvar.c 2006-06-20 20:17:22.000000000 +0200 @@ -684,15 +684,17 @@ goto Exit; } - if ( FT_ALLOC( face->blend, sizeof ( GX_BlendRec ) ) ) + if ( FT_NEW( face->blend ) ) goto Exit; + /* XXX: TODO - check for overflows */ face->blend->mmvar_len = sizeof ( FT_MM_Var ) + fvar_head.axisCount * sizeof ( FT_Var_Axis ) + fvar_head.instanceCount * sizeof ( FT_Var_Named_Style ) + fvar_head.instanceCount * fvar_head.axisCount * sizeof ( FT_Fixed ) + 5 * fvar_head.axisCount; + if ( FT_ALLOC( mmvar, face->blend->mmvar_len ) ) goto Exit; face->blend->mmvar = mmvar; diff -uNr -x '*.orig' freetype-2.1.10/src/type1/t1load.c freetype-2.1.10.mandrk/src/type1/t1load.c --- freetype-2.1.10/src/type1/t1load.c 2005-04-14 13:39:28.000000000 +0200 +++ freetype-2.1.10.mandrk/src/type1/t1load.c 2006-06-20 20:17:29.000000000 +0200 @@ -1990,6 +1990,9 @@ if ( error ) goto Exit; + /* ensure even-ness of 'num_blue_values' */ + priv->num_blue_values &= ~1; + #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT /* the following can happen for MM instances; we then treat the */ diff -uNr -x '*.orig' freetype-2.1.10/src/winfonts/winfnt.c freetype-2.1.10.mandrk/src/winfonts/winfnt.c --- freetype-2.1.10/src/winfonts/winfnt.c 2004-06-15 16:13:10.000000000 +0200 +++ freetype-2.1.10.mandrk/src/winfonts/winfnt.c 2006-06-20 20:17:22.000000000 +0200 @@ -633,7 +633,7 @@ /* note: since glyphs are stored in columns and not in rows we */ /* can't use ft_glyphslot_set_bitmap */ - if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) ) + if ( FT_ALLOC_MULT( bitmap->buffer, pitch, bitmap->rows ) ) goto Exit; column = (FT_Byte*)bitmap->buffer;