Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 89651 Details for
Bug 137388
media-libs/freetype-2.1.10-r1 crashes xorg
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patchset
freetype-2.1.10-security_batch-r1.patch (text/plain), 60.49 KB, created by
foser (RETIRED)
on 2006-06-20 11:38:35 UTC
(
hide
)
Description:
updated patchset
Filename:
MIME Type:
Creator:
foser (RETIRED)
Created:
2006-06-20 11:38:35 UTC
Size:
60.49 KB
patch
obsolete
>diff -uNr -x '*.orig' freetype-2.1.10/include/freetype/fterrdef.h freetype-2.1.10.mandrk/include/freetype/fterrdef.h >--- freetype-2.1.10/include/freetype/fterrdef.h 2004-02-12 09:33:20.000000000 +0100 >+++ freetype-2.1.10.mandrk/include/freetype/fterrdef.h 2006-06-20 20:17:22.000000000 +0200 >@@ -52,6 +52,8 @@ > "broken table" ) > FT_ERRORDEF_( Invalid_Offset, 0x09, \ > "broken offset within table" ) >+ FT_ERRORDEF_( Array_Too_Large, 0x0A, \ >+ "array allocation size too large" ) > > /* glyph/character errors */ > >@@ -226,6 +228,8 @@ > "`ENCODING' field missing" ) > FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ > "`BBX' field missing" ) >+ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ >+ "`BBX' too big" ) > > > /* END */ >diff -uNr -x '*.orig' freetype-2.1.10/include/freetype/internal/ftmemory.h freetype-2.1.10.mandrk/include/freetype/internal/ftmemory.h >--- freetype-2.1.10/include/freetype/internal/ftmemory.h 2005-06-04 07:17:10.000000000 +0200 >+++ freetype-2.1.10.mandrk/include/freetype/internal/ftmemory.h 2006-06-20 20:17:22.000000000 +0200 >@@ -56,200 +56,130 @@ > /*************************************************************************/ > /*************************************************************************/ > >+ /* C++ absolutely hates statements like p = (void*)anything; where 'p' is >+ * a typed pointer. Since we don't have a typeof operator in standard C++, >+ * we need some really ugly casts, like: >+ */ >+ >+#ifdef __cplusplus >+#define FT_ASSIGNP( p, val ) *((void**)&(p)) = (val) >+#else >+#define FT_ASSIGNP( p, val ) (p) = (val) >+#endif >+ >+ > #ifdef FT_DEBUG_MEMORY >+ FT_BASE( const char* ) _ft_debug_file; >+ FT_BASE( long ) _ft_debug_lineno; >+ >+# define FT_DEBUG_INNER( exp ) ( _ft_debug_file = __FILE__, \ >+ _ft_debug_lineno = __LINE__, \ >+ (exp) ) > >- FT_BASE( FT_Error ) >- FT_Alloc_Debug( FT_Memory memory, >- FT_Long size, >- void* *P, >- const char* file_name, >- FT_Long line_no ); >- >- FT_BASE( FT_Error ) >- FT_QAlloc_Debug( FT_Memory memory, >- FT_Long size, >- void* *P, >- const char* file_name, >- FT_Long line_no ); >- >- FT_BASE( FT_Error ) >- FT_Realloc_Debug( FT_Memory memory, >- FT_Long current, >- FT_Long size, >- void* *P, >- const char* file_name, >- FT_Long line_no ); >- >- FT_BASE( FT_Error ) >- FT_QRealloc_Debug( FT_Memory memory, >- FT_Long current, >- FT_Long size, >- void* *P, >- const char* file_name, >- FT_Long line_no ); >+# define FT_ASSIGNP_INNER( p, exp ) ( _ft_debug_file = __FILE__, \ >+ _ft_debug_lineno = __LINE__, \ >+ FT_ASSIGNP( p, exp ) ) >+ >+#else /* !FT_DEBUG_MEMORY */ >+ >+# define FT_DEBUG_INNER( exp ) (exp) >+# define FT_ASSIGNP_INNER( p, exp ) FT_ASSIGNP( p, exp ) >+ >+#endif /* !FT_DEBUG_MEMORY */ >+ >+ /* >+ * The allocation functions return a pointer, and the error code >+ * is written to through the `p_error' parameter. See below for >+ * for documentation. >+ */ >+ >+ FT_BASE( FT_Pointer ) >+ ft_mem_alloc( FT_Memory memory, >+ FT_Long size, >+ FT_Error *p_error ); >+ >+ FT_BASE( FT_Pointer ) >+ ft_mem_qalloc( FT_Memory memory, >+ FT_Long size, >+ FT_Error *p_error ); >+ >+ FT_BASE( FT_Pointer ) >+ ft_mem_realloc( FT_Memory memory, >+ FT_Long item_size, >+ FT_Long cur_count, >+ FT_Long new_count, >+ void* block, >+ FT_Error *p_error ); >+ >+ FT_BASE( FT_Pointer ) >+ ft_mem_qrealloc( FT_Memory memory, >+ FT_Long item_size, >+ FT_Long cur_count, >+ FT_Long new_count, >+ void* block, >+ FT_Error *p_error ); > > FT_BASE( void ) >- FT_Free_Debug( FT_Memory memory, >- FT_Pointer block, >- const char* file_name, >- FT_Long line_no ); >+ ft_mem_free( FT_Memory memory, >+ const void* P ); > >-#endif > >+#define FT_MEM_ALLOC( ptr, size ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_alloc( memory, (size), &error ) ) > >- /*************************************************************************/ >- /* */ >- /* <Function> */ >- /* FT_Alloc */ >- /* */ >- /* <Description> */ >- /* Allocates a new block of memory. The returned area is always */ >- /* zero-filled; this is a strong convention in many FreeType parts. */ >- /* */ >- /* <Input> */ >- /* memory :: A handle to a given `memory object' which handles */ >- /* allocation. */ >- /* */ >- /* size :: The size in bytes of the block to allocate. */ >- /* */ >- /* <Output> */ >- /* P :: A pointer to the fresh new block. It should be set to */ >- /* NULL if `size' is 0, or in case of error. */ >- /* */ >- /* <Return> */ >- /* FreeType error code. 0 means success. */ >- /* */ >- FT_BASE( FT_Error ) >- FT_Alloc( FT_Memory memory, >- FT_Long size, >- void* *P ); >+#define FT_MEM_FREE( ptr ) \ >+ FT_BEGIN_STMNT \ >+ ft_mem_free( memory, (ptr) ); \ >+ (ptr) = NULL; \ >+ FT_END_STMNT > >+#define FT_MEM_NEW( ptr ) \ >+ FT_MEM_ALLOC( ptr, sizeof ( *(ptr) ) ) > >- /*************************************************************************/ >- /* */ >- /* <Function> */ >- /* FT_QAlloc */ >- /* */ >- /* <Description> */ >- /* Allocates a new block of memory. The returned area is *not* */ >- /* zero-filled, making allocation quicker. */ >- /* */ >- /* <Input> */ >- /* memory :: A handle to a given `memory object' which handles */ >- /* allocation. */ >- /* */ >- /* size :: The size in bytes of the block to allocate. */ >- /* */ >- /* <Output> */ >- /* P :: A pointer to the fresh new block. It should be set to */ >- /* NULL if `size' is 0, or in case of error. */ >- /* */ >- /* <Return> */ >- /* FreeType error code. 0 means success. */ >- /* */ >- FT_BASE( FT_Error ) >- FT_QAlloc( FT_Memory memory, >- FT_Long size, >- void* *p ); >+#define FT_MEM_REALLOC( ptr, cursz, newsz ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, 1, \ >+ (cursz), (newsz), \ >+ (ptr), &error ) ) > >+#define FT_MEM_QALLOC( ptr, size ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_qalloc( memory, (size), &error ) ) > >- /*************************************************************************/ >- /* */ >- /* <Function> */ >- /* FT_Realloc */ >- /* */ >- /* <Description> */ >- /* Reallocates a block of memory pointed to by `*P' to `Size' bytes */ >- /* from the heap, possibly changing `*P'. The returned area is */ >- /* zero-filled. */ >- /* */ >- /* <Input> */ >- /* memory :: A handle to a given `memory object' which handles */ >- /* reallocation. */ >- /* */ >- /* current :: The current block size in bytes. */ >- /* */ >- /* size :: The new block size in bytes. */ >- /* */ >- /* <InOut> */ >- /* P :: A pointer to the fresh new block. It should be set to */ >- /* NULL if `size' is 0, or in case of error. */ >- /* */ >- /* <Return> */ >- /* FreeType error code. 0 means success. */ >- /* */ >- /* <Note> */ >- /* All callers of FT_Realloc() _must_ provide the current block size */ >- /* as well as the new one. */ >- /* */ >- FT_BASE( FT_Error ) >- FT_Realloc( FT_Memory memory, >- FT_Long current, >- FT_Long size, >- void* *P ); >+#define FT_MEM_QNEW( ptr ) \ >+ FT_MEM_QALLOC( ptr, sizeof ( *(ptr) ) ) > >+#define FT_MEM_QREALLOC( ptr, cursz, newsz ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, 1, \ >+ (cursz), (newsz), \ >+ (ptr), &error ) ) > >- /*************************************************************************/ >- /* */ >- /* <Function> */ >- /* FT_QRealloc */ >- /* */ >- /* <Description> */ >- /* Reallocates a block of memory pointed to by `*P' to `Size' bytes */ >- /* from the heap, possibly changing `*P'. The returned area is *not* */ >- /* zero-filled, making reallocation quicker. */ >- /* */ >- /* <Input> */ >- /* memory :: A handle to a given `memory object' which handles */ >- /* reallocation. */ >- /* */ >- /* current :: The current block size in bytes. */ >- /* */ >- /* size :: The new block size in bytes. */ >- /* */ >- /* <InOut> */ >- /* P :: A pointer to the fresh new block. It should be set to */ >- /* NULL if `size' is 0, or in case of error. */ >- /* */ >- /* <Return> */ >- /* FreeType error code. 0 means success. */ >- /* */ >- /* <Note> */ >- /* All callers of FT_Realloc() _must_ provide the current block size */ >- /* as well as the new one. */ >- /* */ >- FT_BASE( FT_Error ) >- FT_QRealloc( FT_Memory memory, >- FT_Long current, >- FT_Long size, >- void* *p ); >+#define FT_MEM_QRENEW_ARRAY( ptr, cursz, newsz ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, sizeof ( *(ptr) ), \ >+ (cursz), (newsz), \ >+ (ptr), &error ) ) > >+#define FT_MEM_ALLOC_MULT( ptr, count, item_size ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, (item_size), \ >+ 0, (count), \ >+ NULL, &error ) ) > >- /*************************************************************************/ >- /* */ >- /* <Function> */ >- /* FT_Free */ >- /* */ >- /* <Description> */ >- /* Releases a given block of memory allocated through FT_Alloc(). */ >- /* */ >- /* <Input> */ >- /* memory :: A handle to a given `memory object' which handles */ >- /* memory deallocation */ >- /* */ >- /* P :: This is the _address_ of a _pointer_ which points to the */ >- /* allocated block. It is always set to NULL on exit. */ >- /* */ >- /* <Note> */ >- /* If P or *P is NULL, this function should return successfully. */ >- /* This is a strong convention within all of FreeType and its */ >- /* drivers. */ >- /* */ >- FT_BASE( void ) >- FT_Free( FT_Memory memory, >- void* *P ); >+#define FT_MEM_REALLOC_MULT( ptr, oldcnt, newcnt, itmsz ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, (itmsz), \ >+ (oldcnt), (newcnt), \ >+ (ptr), &error ) ) >+ >+#define FT_MEM_QALLOC_MULT( ptr, count, item_size ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, (item_size), \ >+ 0, (count), \ >+ NULL, &error ) ) >+ >+#define FT_MEM_QREALLOC_MULT( ptr, oldcnt, newcnt, itmsz) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, (itmsz), \ >+ (oldcnt), (newcnt), \ >+ (ptr), &error ) ) > > >+#define FT_MEM_SET_ERROR( cond ) ( (cond), error != 0 ) >+ > #define FT_MEM_SET( dest, byte, count ) ft_memset( dest, byte, count ) > > #define FT_MEM_COPY( dest, source, count ) ft_memcpy( dest, source, count ) >@@ -280,93 +210,76 @@ > > #define FT_ARRAY_CHECK( ptr, count ) ( (count) <= FT_ARRAY_MAX( ptr ) ) > >- > /*************************************************************************/ > /* */ >- /* We first define FT_MEM_ALLOC, FT_MEM_REALLOC, and FT_MEM_FREE. All */ >- /* macros use an _implicit_ `memory' parameter to access the current */ >- /* memory allocator. */ >+ /* The following functions macros expect that their pointer argument is */ >+ /* _typed_ in order to automatically compute array element sizes. */ > /* */ > >-#ifdef FT_DEBUG_MEMORY >+#define FT_MEM_NEW_ARRAY( ptr, count ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, sizeof ( *(ptr) ), \ >+ 0, (count), \ >+ NULL, &error ) ) > >-#define FT_MEM_ALLOC( _pointer_, _size_ ) \ >- FT_Alloc_Debug( memory, _size_, \ >- (void**)(void*)&(_pointer_), \ >- __FILE__, __LINE__ ) >+#define FT_MEM_RENEW_ARRAY( ptr, cursz, newsz ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_realloc( memory, sizeof ( *(ptr) ), \ >+ (cursz), (newsz), \ >+ (ptr), &error ) ) > >-#define FT_MEM_REALLOC( _pointer_, _current_, _size_ ) \ >- FT_Realloc_Debug( memory, _current_, _size_, \ >- (void**)(void*)&(_pointer_), \ >- __FILE__, __LINE__ ) >+#define FT_MEM_QNEW_ARRAY( ptr, count ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, sizeof ( *(ptr) ), \ >+ 0, (count), \ >+ NULL, &error ) ) > >-#define FT_MEM_QALLOC( _pointer_, _size_ ) \ >- FT_QAlloc_Debug( memory, _size_, \ >- (void**)(void*)&(_pointer_), \ >- __FILE__, __LINE__ ) >+#define FT_MEM_QRENEW_ARRAY( ptr, cursz, newsz ) \ >+ FT_ASSIGNP_INNER( ptr, ft_mem_qrealloc( memory, sizeof ( *(ptr) ), \ >+ (cursz), (newsz), \ >+ (ptr), &error ) ) > >-#define FT_MEM_QREALLOC( _pointer_, _current_, _size_ ) \ >- FT_QRealloc_Debug( memory, _current_, _size_, \ >- (void**)(void*)&(_pointer_), \ >- __FILE__, __LINE__ ) >+#define FT_ALLOC( ptr, size ) \ >+ FT_MEM_SET_ERROR( FT_MEM_ALLOC( ptr, size ) ) > >-#define FT_MEM_FREE( _pointer_ ) \ >- FT_Free_Debug( memory, (void**)(void*)&(_pointer_), \ >- __FILE__, __LINE__ ) >+#define FT_REALLOC( ptr, cursz, newsz ) \ >+ FT_MEM_SET_ERROR( FT_MEM_REALLOC( ptr, cursz, newsz ) ) > >+#define FT_ALLOC_MULT( ptr, count, item_size ) \ >+ FT_MEM_SET_ERROR( FT_MEM_ALLOC_MULT( ptr, count, item_size ) ) > >-#else /* !FT_DEBUG_MEMORY */ >+#define FT_REALLOC_MULT( ptr, oldcnt, newcnt, itmsz ) \ >+ FT_MEM_SET_ERROR( FT_MEM_REALLOC_MULT( ptr, oldcnt, \ >+ newcnt, itmsz ) ) > >+#define FT_QALLOC( ptr, size ) \ >+ FT_MEM_SET_ERROR( FT_MEM_QALLOC( ptr, size ) ) > >-#define FT_MEM_ALLOC( _pointer_, _size_ ) \ >- FT_Alloc( memory, _size_, \ >- (void**)(void*)&(_pointer_) ) >+#define FT_QREALLOC( ptr, cursz, newsz ) \ >+ FT_MEM_SET_ERROR( FT_MEM_QREALLOC( ptr, cursz, newsz ) ) > >-#define FT_MEM_FREE( _pointer_ ) \ >- FT_Free( memory, \ >- (void**)(void*)&(_pointer_) ) >+#define FT_QALLOC_MULT( ptr, count, item_size ) \ >+ FT_MEM_SET_ERROR( FT_MEM_QALLOC_MULT( ptr, count, item_size ) ) > >-#define FT_MEM_REALLOC( _pointer_, _current_, _size_ ) \ >- FT_Realloc( memory, _current_, _size_, \ >- (void**)(void*)&(_pointer_) ) >+#define FT_QREALLOC_MULT( ptr, oldcnt, newcnt, itmsz ) \ >+ FT_MEM_SET_ERROR( FT_MEM_QREALLOC_MULT( ptr, oldcnt, \ >+ newcnt, itmsz ) ) > >-#define FT_MEM_QALLOC( _pointer_, _size_ ) \ >- FT_QAlloc( memory, _size_, \ >- (void**)(void*)&(_pointer_) ) >+#define FT_FREE( ptr ) FT_MEM_FREE( ptr ) > >-#define FT_MEM_QREALLOC( _pointer_, _current_, _size_ ) \ >- FT_QRealloc( memory, _current_, _size_, \ >- (void**)(void*)&(_pointer_) ) >+#define FT_NEW( ptr ) FT_MEM_SET_ERROR( FT_MEM_NEW( ptr ) ) > >-#endif /* !FT_DEBUG_MEMORY */ >+#define FT_NEW_ARRAY( ptr, count ) \ >+ FT_MEM_SET_ERROR( FT_MEM_NEW_ARRAY( ptr, count ) ) > >+#define FT_RENEW_ARRAY( ptr, curcnt, newcnt ) \ >+ FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) ) > >- /*************************************************************************/ >- /* */ >- /* The following functions macros expect that their pointer argument is */ >- /* _typed_ in order to automatically compute array element sizes. */ >- /* */ >- >-#define FT_MEM_NEW( _pointer_ ) \ >- FT_MEM_ALLOC( _pointer_, sizeof ( *(_pointer_) ) ) >- >-#define FT_MEM_NEW_ARRAY( _pointer_, _count_ ) \ >- FT_MEM_ALLOC( _pointer_, (_count_) * sizeof ( *(_pointer_) ) ) >- >-#define FT_MEM_RENEW_ARRAY( _pointer_, _old_, _new_ ) \ >- FT_MEM_REALLOC( _pointer_, (_old_) * sizeof ( *(_pointer_) ), \ >- (_new_) * sizeof ( *(_pointer_) ) ) >+#define FT_QNEW( ptr ) \ >+ FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) ) > >-#define FT_MEM_QNEW( _pointer_ ) \ >- FT_MEM_QALLOC( _pointer_, sizeof ( *(_pointer_) ) ) >- >-#define FT_MEM_QNEW_ARRAY( _pointer_, _count_ ) \ >- FT_MEM_QALLOC( _pointer_, (_count_) * sizeof ( *(_pointer_) ) ) >- >-#define FT_MEM_QRENEW_ARRAY( _pointer_, _old_, _new_ ) \ >- FT_MEM_QREALLOC( _pointer_, (_old_) * sizeof ( *(_pointer_) ), \ >- (_new_) * sizeof ( *(_pointer_) ) ) >+#define FT_QNEW_ARRAY( ptr, count ) \ >+ FT_MEM_SET_ERROR( FT_MEM_NEW_ARRAY( ptr, count ) ) > >+#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \ >+ FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) ) > > /*************************************************************************/ > /* */ >@@ -388,44 +301,6 @@ > /* if an error occured (i.e. if 'error != 0'). */ > /* */ > >-#define FT_ALLOC( _pointer_, _size_ ) \ >- FT_SET_ERROR( FT_MEM_ALLOC( _pointer_, _size_ ) ) >- >-#define FT_REALLOC( _pointer_, _current_, _size_ ) \ >- FT_SET_ERROR( FT_MEM_REALLOC( _pointer_, _current_, _size_ ) ) >- >-#define FT_QALLOC( _pointer_, _size_ ) \ >- FT_SET_ERROR( FT_MEM_QALLOC( _pointer_, _size_ ) ) >- >-#define FT_QREALLOC( _pointer_, _current_, _size_ ) \ >- FT_SET_ERROR( FT_MEM_QREALLOC( _pointer_, _current_, _size_ ) ) >- >- >-#define FT_FREE( _pointer_ ) \ >- FT_MEM_FREE( _pointer_ ) >- >- >-#define FT_NEW( _pointer_ ) \ >- FT_ALLOC( _pointer_, sizeof ( *(_pointer_) ) ) >- >-#define FT_NEW_ARRAY( _pointer_, _count_ ) \ >- FT_ALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_count_) ) >- >-#define FT_RENEW_ARRAY( _pointer_, _old_, _new_ ) \ >- FT_REALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_old_), \ >- sizeof ( *(_pointer_) ) * (_new_) ) >- >-#define FT_QNEW( _pointer_ ) \ >- FT_QALLOC( _pointer_, sizeof ( *(_pointer_) ) ) >- >-#define FT_QNEW_ARRAY( _pointer_, _count_ ) \ >- FT_QALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_count_) ) >- >-#define FT_QRENEW_ARRAY( _pointer_, _old_, _new_ ) \ >- FT_QREALLOC( _pointer_, sizeof ( *(_pointer_) ) * (_old_), \ >- sizeof ( *(_pointer_) ) * (_new_) ) >- >- > #define FT_ALLOC_ARRAY( _pointer_, _count_, _type_ ) \ > FT_ALLOC( _pointer_, (_count_) * sizeof ( _type_ ) ) > >diff -uNr -x '*.orig' freetype-2.1.10/include/freetype/internal/ftstream.h freetype-2.1.10.mandrk/include/freetype/internal/ftstream.h >--- freetype-2.1.10/include/freetype/internal/ftstream.h 2005-03-16 02:13:31.000000000 +0100 >+++ freetype-2.1.10.mandrk/include/freetype/internal/ftstream.h 2006-06-20 20:17:22.000000000 +0200 >@@ -514,18 +514,21 @@ > FT_SET_ERROR( FT_Stream_ReadFields( stream, fields, object ) ) > > >-#define FT_FRAME_ENTER( size ) \ >- FT_SET_ERROR( FT_Stream_EnterFrame( stream, size ) ) >+#define FT_FRAME_ENTER( size ) \ >+ FT_SET_ERROR( \ >+ FT_DEBUG_INNER( FT_Stream_EnterFrame( stream, size ) ) ) > > #define FT_FRAME_EXIT() \ >- FT_Stream_ExitFrame( stream ) >+ FT_DEBUG_INNER( FT_Stream_ExitFrame( stream ) ) > >-#define FT_FRAME_EXTRACT( size, bytes ) \ >- FT_SET_ERROR( FT_Stream_ExtractFrame( stream, size, \ >- (FT_Byte**)&(bytes) ) ) >- >-#define FT_FRAME_RELEASE( bytes ) \ >- FT_Stream_ReleaseFrame( stream, (FT_Byte**)&(bytes) ) >+#define FT_FRAME_EXTRACT( size, bytes ) \ >+ FT_SET_ERROR( \ >+ FT_DEBUG_INNER( FT_Stream_ExtractFrame( stream, size, \ >+ (FT_Byte**)&(bytes) ) ) ) >+ >+#define FT_FRAME_RELEASE( bytes ) \ >+ FT_DEBUG_INNER( FT_Stream_ReleaseFrame( stream, \ >+ (FT_Byte**)&(bytes) ) ) > > > FT_END_HEADER >diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftbitmap.c freetype-2.1.10.mandrk/src/base/ftbitmap.c >--- freetype-2.1.10/src/base/ftbitmap.c 2005-05-30 15:53:09.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/base/ftbitmap.c 2006-06-20 20:17:22.000000000 +0200 >@@ -165,7 +165,7 @@ > > new_pitch = ( bitmap->width + xpixels + ppb - 1 ) / ppb; > >- if ( FT_ALLOC( buffer, new_pitch * ( bitmap->rows + ypixels ) ) ) >+ if ( FT_QALLOC_MULT( buffer, new_pitch, bitmap->rows + ypixels ) ) > return error; > > if ( bitmap->pitch > 0 ) >diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftdbgmem.c freetype-2.1.10.mandrk/src/base/ftdbgmem.c >--- freetype-2.1.10/src/base/ftdbgmem.c 2005-03-03 12:34:15.000000000 +0100 >+++ freetype-2.1.10.mandrk/src/base/ftdbgmem.c 2006-06-20 20:17:22.000000000 +0200 >@@ -36,6 +36,8 @@ > #include <stdio.h> > #include <stdlib.h> > >+ FT_BASE_DEF( const char* ) _ft_debug_file = 0; >+ FT_BASE_DEF( long ) _ft_debug_lineno = 0; > > extern void > FT_DumpMemory( FT_Memory memory ); >@@ -48,7 +50,11 @@ > > #define FT_MEM_VAL( addr ) ((FT_ULong)(FT_Pointer)( addr )) > >- >+ /* >+ * This structure holds statistics for a single allocation/release >+ * site. This is useful to know where memory operations happen the >+ * most. >+ */ > typedef struct FT_MemSourceRec_ > { > const char* file_name; >@@ -76,7 +82,13 @@ > */ > #define FT_MEM_SOURCE_BUCKETS 128 > >- >+ /* >+ * This structure holds information related to a single allocated >+ * memory block. If KEEPALIVE is defined, blocks that are freed by >+ * FreeType are never released to the system. Instead, their `size' >+ * field is set to -size. This is mainly useful to detect double frees, >+ * at the price of large memory footprint during execution. >+ */ > typedef struct FT_MemNodeRec_ > { > FT_Byte* address; >@@ -94,6 +106,10 @@ > } FT_MemNodeRec; > > >+ /* >+ * The global structure, containing compound statistics and all hash >+ * tables. >+ */ > typedef struct FT_MemTableRec_ > { > FT_ULong size; >@@ -113,9 +129,6 @@ > > FT_MemSource sources[FT_MEM_SOURCE_BUCKETS]; > >- const char* file_name; >- FT_Long line_no; >- > FT_Bool keep_alive; > > FT_Memory memory; >@@ -446,8 +459,8 @@ > FT_MemSource node, *pnode; > > >- hash = (FT_UInt32)(void*)table->file_name + >- (FT_UInt32)( 5 * table->line_no ); >+ hash = (FT_UInt32)(void*)_ft_debug_file + >+ (FT_UInt32)( 5 * _ft_debug_lineno ); > pnode = &table->sources[hash % FT_MEM_SOURCE_BUCKETS]; > > for ( ;; ) >@@ -456,8 +469,8 @@ > if ( node == NULL ) > break; > >- if ( node->file_name == table->file_name && >- node->line_no == table->line_no ) >+ if ( node->file_name == _ft_debug_file && >+ node->line_no == _ft_debug_lineno ) > goto Exit; > > pnode = &node->link; >@@ -468,8 +481,8 @@ > ft_mem_debug_panic( > "not enough memory to perform memory debugging\n" ); > >- node->file_name = table->file_name; >- node->line_no = table->line_no; >+ node->file_name = _ft_debug_file; >+ node->line_no = _ft_debug_lineno; > > node->cur_blocks = 0; > node->max_blocks = 0; >@@ -525,7 +538,7 @@ > "org=%s:%d new=%s:%d\n", > node->address, node->size, > FT_FILENAME( node->source->file_name ), node->source->line_no, >- FT_FILENAME( table->file_name ), table->line_no ); >+ FT_FILENAME( _ft_debug_file ), _ft_debug_lineno ); > } > } > >@@ -593,7 +606,7 @@ > "freeing memory block at %p more than once at (%s:%ld)\n" > "block allocated at (%s:%ld) and released at (%s:%ld)", > address, >- FT_FILENAME( table->file_name ), table->line_no, >+ FT_FILENAME( _ft_debug_file ), _ft_debug_lineno, > FT_FILENAME( node->source->file_name ), node->source->line_no, > FT_FILENAME( node->free_file_name ), node->free_line_no ); > >@@ -611,8 +624,8 @@ > /* we simply invert the node's size to indicate that the node */ > /* was freed. */ > node->size = -node->size; >- node->free_file_name = table->file_name; >- node->free_line_no = table->line_no; >+ node->free_file_name = _ft_debug_file; >+ node->free_line_no = _ft_debug_lineno; > } > else > { >@@ -634,7 +647,7 @@ > ft_mem_debug_panic( > "trying to free unknown block at %p in (%s:%ld)\n", > address, >- FT_FILENAME( table->file_name ), table->line_no ); >+ FT_FILENAME( _ft_debug_file ), _ft_debug_lineno ); > } > } > >@@ -657,7 +670,7 @@ > > /* return NULL if this allocation would overflow the maximum heap size */ > if ( table->bound_total && >- table->alloc_current + (FT_ULong)size > table->alloc_total_max ) >+ table->alloc_total_max - table->alloc_current > (FT_ULong)size ) > return NULL; > > block = (FT_Byte *)ft_mem_table_alloc( table, size ); >@@ -666,8 +679,8 @@ > > table->alloc_count++; > >- table->file_name = NULL; >- table->line_no = 0; >+ _ft_debug_file = "<unknown>"; >+ _ft_debug_lineno = 0; > > return (FT_Pointer)block; > } >@@ -682,8 +695,8 @@ > > if ( block == NULL ) > ft_mem_debug_panic( "trying to free NULL in (%s:%ld)", >- FT_FILENAME( table->file_name ), >- table->line_no ); >+ FT_FILENAME( _ft_debug_file ), >+ _ft_debug_lineno ); > > ft_mem_table_remove( table, (FT_Byte*)block ); > >@@ -692,8 +705,8 @@ > > table->alloc_count--; > >- table->file_name = NULL; >- table->line_no = 0; >+ _ft_debug_file = "<unknown>"; >+ _ft_debug_lineno = 0; > } > > >@@ -707,8 +720,8 @@ > FT_MemNode node, *pnode; > FT_Pointer new_block; > >- const char* file_name = FT_FILENAME( table->file_name ); >- FT_Long line_no = table->line_no; >+ const char* file_name = FT_FILENAME( _ft_debug_file ); >+ FT_Long line_no = _ft_debug_lineno; > > > /* the following is valid according to ANSI C */ >diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftmac.c freetype-2.1.10.mandrk/src/base/ftmac.c >--- freetype-2.1.10/src/base/ftmac.c 2004-08-28 10:02:46.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/base/ftmac.c 2006-06-20 20:17:22.000000000 +0200 >@@ -430,6 +430,7 @@ > short res_id; > unsigned char *buffer, *p, *size_p = NULL; > FT_ULong total_size = 0; >+ FT_ULong old_total_size = 0; > FT_ULong post_size, pfb_chunk_size; > Handle post_data; > char code, last_code; >@@ -460,6 +461,15 @@ > > total_size += GetHandleSize( post_data ) - 2; > last_code = code; >+ >+ /* detect integer overflows */ >+ if ( total_size < old_total_size ) >+ { >+ error = FT_Err_Array_Too_Large; >+ goto Error; >+ } >+ >+ old_total_size = total_size; > } > > if ( FT_ALLOC( buffer, (FT_Long)total_size ) ) >diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftobjs.c freetype-2.1.10.mandrk/src/base/ftobjs.c >--- freetype-2.1.10/src/base/ftobjs.c 2005-06-06 08:22:42.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/base/ftobjs.c 2006-06-20 20:17:21.000000000 +0200 >@@ -267,14 +267,15 @@ > FT_ULong size ) > { > FT_Memory memory = FT_FACE_MEMORY( slot->face ); >- >+ FT_Error error; > > if ( slot->internal->flags & FT_GLYPH_OWN_BITMAP ) > FT_FREE( slot->bitmap.buffer ); > else > slot->internal->flags |= FT_GLYPH_OWN_BITMAP; > >- return FT_MEM_ALLOC( slot->bitmap.buffer, size ); >+ (void)FT_ALLOC( slot->bitmap.buffer, size ); >+ return error; > } > > >diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftrfork.c freetype-2.1.10.mandrk/src/base/ftrfork.c >--- freetype-2.1.10/src/base/ftrfork.c 2005-05-22 07:46:10.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/base/ftrfork.c 2006-06-20 20:17:22.000000000 +0200 >@@ -179,7 +179,7 @@ > if ( error ) > return error; > >- if ( FT_ALLOC( offsets_internal, *count * sizeof( FT_Long ) ) ) >+ if ( FT_NEW_ARRAY( offsets_internal, *count ) ) > return error; > > for ( j = 0; j < *count; ++j ) >@@ -426,20 +426,25 @@ > FT_Error error; > char* newpath; > FT_Memory memory; >+ FT_Long base_file_len = ft_strlen( base_file_name ); > > FT_UNUSED( stream ); > > > memory = library->memory; > >- if ( FT_ALLOC( newpath, >- ft_strlen( base_file_name ) + ft_strlen( "/rsrc" ) + 1 ) ) >+ if ( base_file_len > FT_INT_MAX ) >+ return FT_Err_Array_Too_Large; >+ >+ if ( FT_ALLOC( newpath, base_file_len + 6 ) ) > return error; > >- ft_strcpy( newpath, base_file_name ); >- ft_strcat( newpath, "/rsrc" ); >+ FT_MEM_COPY( newpath, base_file_name, base_file_len ); >+ FT_MEM_COPY( newpath + base_file_len, "/rsrc", 6 ); >+ > *result_file_name = newpath; >- *result_offset = 0; >+ *result_offset = 0; >+ > return FT_Err_Ok; > } > >diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftstream.c freetype-2.1.10.mandrk/src/base/ftstream.c >--- freetype-2.1.10/src/base/ftstream.c 2005-03-16 02:15:07.000000000 +0100 >+++ freetype-2.1.10.mandrk/src/base/ftstream.c 2006-06-20 20:17:21.000000000 +0200 >@@ -212,8 +212,12 @@ > { > FT_Memory memory = stream->memory; > >- >+#ifdef FT_DEBUG_MEMORY >+ ft_mem_free( memory, *pbytes ); >+ *pbytes = NULL; >+#else > FT_FREE( *pbytes ); >+#endif > } > *pbytes = 0; > } >@@ -235,10 +239,15 @@ > /* allocate the frame in memory */ > FT_Memory memory = stream->memory; > >- >+#ifdef FT_DEBUG_MEMORY >+ /* assume _ft_debug_file and _ft_debug_lineno are already set */ >+ stream->base = (unsigned char*)ft_mem_qalloc( memory, count, &error ); >+ if ( error ) >+ goto Exit; >+#else > if ( FT_QALLOC( stream->base, count ) ) > goto Exit; >- >+#endif > /* read it */ > read_bytes = stream->read( stream, stream->pos, > stream->base, count ); >@@ -298,8 +307,12 @@ > { > FT_Memory memory = stream->memory; > >- >+#ifdef FT_DEBUG_MEMORY >+ ft_mem_free( memory, stream->base ); >+ stream->base = NULL; >+#else > FT_FREE( stream->base ); >+#endif > } > stream->cursor = 0; > stream->limit = 0; >diff -uNr -x '*.orig' freetype-2.1.10/src/base/ftutil.c freetype-2.1.10.mandrk/src/base/ftutil.c >--- freetype-2.1.10/src/base/ftutil.c 2005-03-03 23:59:06.000000000 +0100 >+++ freetype-2.1.10.mandrk/src/base/ftutil.c 2006-06-20 20:17:22.000000000 +0200 >@@ -45,167 +45,126 @@ > /*************************************************************************/ > /*************************************************************************/ > >- /* documentation is in ftmemory.h */ > >- FT_BASE_DEF( FT_Error ) >- FT_Alloc( FT_Memory memory, >- FT_Long size, >- void* *P ) >+ FT_BASE_DEF( FT_Pointer ) >+ ft_mem_alloc( FT_Memory memory, >+ FT_Long size, >+ FT_Error *p_error ) > { >- FT_ASSERT( P != 0 ); >+ FT_Error error; >+ FT_Pointer block = ft_mem_qalloc( memory, size, &error ); > >- if ( size > 0 ) >- { >- *P = memory->alloc( memory, size ); >- if ( !*P ) >- { >- FT_ERROR(( "FT_Alloc:" )); >- FT_ERROR(( " Out of memory? (%ld requested)\n", >- size )); >- >- return FT_Err_Out_Of_Memory; >- } >- FT_MEM_ZERO( *P, size ); >- } >- else >- *P = NULL; >- >- FT_TRACE7(( "FT_Alloc:" )); >- FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n", >- size, *P, P )); >+ if ( !error && size > 0 ) >+ FT_MEM_ZERO( block, size ); > >- return FT_Err_Ok; >+ *p_error = error; >+ return block; > } > > >- /* documentation is in ftmemory.h */ >- >- FT_BASE_DEF( FT_Error ) >- FT_QAlloc( FT_Memory memory, >- FT_Long size, >- void* *P ) >+ FT_BASE_DEF( FT_Pointer ) >+ ft_mem_qalloc( FT_Memory memory, >+ FT_Long size, >+ FT_Error *p_error ) > { >- FT_ASSERT( P != 0 ); >+ FT_Error error = FT_Err_Ok; >+ FT_Pointer block = NULL; >+ > > if ( size > 0 ) > { >- *P = memory->alloc( memory, size ); >- if ( !*P ) >- { >- FT_ERROR(( "FT_QAlloc:" )); >- FT_ERROR(( " Out of memory? (%ld requested)\n", >- size )); >- >- return FT_Err_Out_Of_Memory; >- } >+ block = memory->alloc( memory, size ); >+ if ( block == NULL ) >+ error = FT_Err_Out_Of_Memory; >+ } >+ else if ( size < 0 ) >+ { >+ /* may help catch/prevent security issues */ >+ error = FT_Err_Invalid_Argument; > } >- else >- *P = NULL; >- >- FT_TRACE7(( "FT_QAlloc:" )); >- FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n", >- size, *P, P )); > >- return FT_Err_Ok; >+ *p_error = error; >+ return block; > } > > >- /* documentation is in ftmemory.h */ >- >- FT_BASE_DEF( FT_Error ) >- FT_Realloc( FT_Memory memory, >- FT_Long current, >- FT_Long size, >- void** P ) >+ FT_BASE_DEF( FT_Pointer ) >+ ft_mem_realloc( FT_Memory memory, >+ FT_Long item_size, >+ FT_Long cur_count, >+ FT_Long new_count, >+ void* block, >+ FT_Error *p_error ) > { >- void* Q; >- >- >- FT_ASSERT( P != 0 ); >+ FT_Error error = FT_Err_Ok; > >- /* if the original pointer is NULL, call FT_Alloc() */ >- if ( !*P ) >- return FT_Alloc( memory, size, P ); >+ block = ft_mem_qrealloc( memory, item_size, >+ cur_count, new_count, block, &error ); >+ if ( !error && new_count > cur_count ) >+ FT_MEM_ZERO( (char*)block + cur_count * item_size, >+ ( new_count - cur_count ) * item_size ); > >- /* if the new block if zero-sized, clear the current one */ >- if ( size <= 0 ) >- { >- FT_Free( memory, P ); >- return FT_Err_Ok; >- } >- >- Q = memory->realloc( memory, current, size, *P ); >- if ( !Q ) >- goto Fail; >- >- if ( size > current ) >- FT_MEM_ZERO( (char*)Q + current, size - current ); >- >- *P = Q; >- return FT_Err_Ok; >- >- Fail: >- FT_ERROR(( "FT_Realloc:" )); >- FT_ERROR(( " Failed (current %ld, requested %ld)\n", >- current, size )); >- return FT_Err_Out_Of_Memory; >+ *p_error = error; >+ return block; > } > > >- /* documentation is in ftmemory.h */ >- >- FT_BASE_DEF( FT_Error ) >- FT_QRealloc( FT_Memory memory, >- FT_Long current, >- FT_Long size, >- void** P ) >+ FT_BASE_DEF( FT_Pointer ) >+ ft_mem_qrealloc( FT_Memory memory, >+ FT_Long item_size, >+ FT_Long cur_count, >+ FT_Long new_count, >+ void* block, >+ FT_Error *p_error ) > { >- void* Q; >- >- >- FT_ASSERT( P != 0 ); >+ FT_Error error = FT_Err_Ok; > >- /* if the original pointer is NULL, call FT_QAlloc() */ >- if ( !*P ) >- return FT_QAlloc( memory, size, P ); > >- /* if the new block if zero-sized, clear the current one */ >- if ( size <= 0 ) >+ if ( cur_count < 0 || new_count < 0 || item_size <= 0 ) > { >- FT_Free( memory, P ); >- return FT_Err_Ok; >+ /* may help catch/prevent nasty security issues */ >+ error = FT_Err_Invalid_Argument; > } >+ else if ( new_count == 0 ) >+ { >+ ft_mem_free( memory, block ); >+ block = NULL; >+ } >+ else if ( new_count > FT_INT_MAX/item_size ) >+ { >+ error = FT_Err_Array_Too_Large; >+ } >+ else if ( cur_count == 0 ) >+ { >+ FT_ASSERT( block == NULL ); > >- Q = memory->realloc( memory, current, size, *P ); >- if ( !Q ) >- goto Fail; >+ block = ft_mem_alloc( memory, new_count*item_size, &error ); >+ } >+ else >+ { >+ FT_Pointer block2; >+ FT_Long cur_size = cur_count*item_size; >+ FT_Long new_size = new_count*item_size; > >- *P = Q; >- return FT_Err_Ok; > >- Fail: >- FT_ERROR(( "FT_QRealloc:" )); >- FT_ERROR(( " Failed (current %ld, requested %ld)\n", >- current, size )); >- return FT_Err_Out_Of_Memory; >- } >+ block2 = memory->realloc( memory, cur_size, new_size, block ); >+ if ( block2 == NULL ) >+ error = FT_Err_Out_Of_Memory; >+ else >+ block = block2; >+ } > >+ *p_error = error; >+ return block; >+ } > >- /* documentation is in ftmemory.h */ > > FT_BASE_DEF( void ) >- FT_Free( FT_Memory memory, >- void** P ) >+ ft_mem_free( FT_Memory memory, >+ const void *P ) > { >- FT_TRACE7(( "FT_Free:" )); >- FT_TRACE7(( " Freeing block 0x%08p, ref 0x%08p\n", >- P, P ? *P : (void*)0 )); >- >- if ( P && *P ) >- { >- memory->free( memory, *P ); >- *P = 0; >- } >+ if ( P ) >+ memory->free( memory, (void*)P ); > } > > >@@ -399,7 +358,7 @@ > } > > >- FT_BASE( FT_UInt32 ) >+ FT_BASE_DEF( FT_UInt32 ) > ft_highpow2( FT_UInt32 value ) > { > FT_UInt32 value2; >@@ -421,4 +380,70 @@ > } > > >+#ifdef FT_CONFIG_OPTION_OLD_INTERNALS >+ >+ FT_BASE_DEF( FT_Error ) >+ FT_Alloc( FT_Memory memory, >+ FT_Long size, >+ void* *P ) >+ { >+ FT_Error error; >+ >+ >+ (void)FT_ALLOC( *P, size ); >+ return error; >+ } >+ >+ >+ FT_BASE_DEF( FT_Error ) >+ FT_QAlloc( FT_Memory memory, >+ FT_Long size, >+ void* *p ) >+ { >+ FT_Error error; >+ >+ >+ (void)FT_QALLOC( *p, size ); >+ return error; >+ } >+ >+ >+ FT_BASE_DEF( FT_Error ) >+ FT_Realloc( FT_Memory memory, >+ FT_Long current, >+ FT_Long size, >+ void* *P ) >+ { >+ FT_Error error; >+ >+ >+ (void)FT_REALLOC( *P, current, size ); >+ return error; >+ } >+ >+ >+ FT_BASE_DEF( FT_Error ) >+ FT_QRealloc( FT_Memory memory, >+ FT_Long current, >+ FT_Long size, >+ void* *p ) >+ { >+ FT_Error error; >+ >+ >+ (void)FT_QREALLOC( *p, current, size ); >+ return error; >+ } >+ >+ >+ FT_BASE_DEF( void ) >+ FT_Free( FT_Memory memory, >+ void* *P ) >+ { >+ if ( *P ) >+ FT_MEM_FREE( *P ); >+ } >+ >+#endif /* FT_CONFIG_OPTION_OLD_INTERNALS */ >+ > /* END */ >diff -uNr -x '*.orig' freetype-2.1.10/src/bdf/bdflib.c freetype-2.1.10.mandrk/src/bdf/bdflib.c >--- freetype-2.1.10/src/bdf/bdflib.c 2005-05-21 19:19:52.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/bdf/bdflib.c 2006-06-20 20:17:17.000000000 +0200 >@@ -1092,6 +1092,7 @@ > #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" > #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" > #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" >+#define ERRMSG4 "[line %ld] BBX too big.\n" > > > static FT_Error >@@ -1561,6 +1562,14 @@ > > p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 ); > >+ /* Check that the encoding is in the range [0,65536] because */ >+ /* otherwise p->have (a bitmap with static size) overflows. */ >+ if ( p->glyph_enc >= sizeof(p->have)*8 ) >+ { >+ error = BDF_Err_Invalid_File_Format; >+ goto Exit; >+ } >+ > /* Check to see whether this encoding has already been encountered. */ > /* If it has then change it to unencoded so it gets added if */ > /* indicated. */ >@@ -1805,6 +1814,8 @@ > /* And finally, gather up the bitmap. */ > if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) > { >+ unsigned long bitmap_size; >+ > if ( !( p->flags & _BDF_BBX ) ) > { > /* Missing BBX field. */ >@@ -1815,7 +1826,16 @@ > > /* Allocate enough space for the bitmap. */ > glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; >- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); >+ >+ bitmap_size = glyph->bpr * glyph->bbx.height; >+ if ( bitmap_size > 0xFFFFU ) >+ { >+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); >+ error = BDF_Err_Bbx_Too_Big; >+ goto Exit; >+ } >+ else >+ glyph->bytes = (unsigned short)bitmap_size; > > if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) > goto Exit; >diff -uNr -x '*.orig' freetype-2.1.10/src/cache/ftccache.c freetype-2.1.10.mandrk/src/cache/ftccache.c >--- freetype-2.1.10/src/cache/ftccache.c 2005-05-23 23:24:16.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/cache/ftccache.c 2006-06-20 20:17:29.000000000 +0200 >@@ -100,10 +100,10 @@ > if ( p >= mask ) > { > FT_Memory memory = cache->memory; >- >+ FT_Error error; > > /* if we can't expand the array, leave immediately */ >- if ( FT_MEM_RENEW_ARRAY( cache->buckets, (mask+1)*2, (mask+1)*4 ) ) >+ if ( FT_RENEW_ARRAY( cache->buckets, (mask+1)*2, (mask+1)*4 ) ) > break; > } > >@@ -152,10 +152,10 @@ > if ( p == 0 ) > { > FT_Memory memory = cache->memory; >- >+ FT_Error error; > > /* if we can't shrink the array, leave immediately */ >- if ( FT_MEM_RENEW_ARRAY( cache->buckets, >+ if ( FT_RENEW_ARRAY( cache->buckets, > ( mask + 1 ) * 2, mask + 1 ) ) > break; > >@@ -246,7 +246,8 @@ > > > /* remove a node from the cache manager */ >- FT_EXPORT_DEF( void ) >+ /* this function is FT_BASE since it may be called by old rogue clients */ >+ FT_BASE_DEF( void ) > ftc_node_destroy( FTC_Node node, > FTC_Manager manager ) > { >@@ -312,13 +313,15 @@ > ftc_cache_init( FTC_Cache cache ) > { > FT_Memory memory = cache->memory; >+ FT_Error error; > > > cache->p = 0; > cache->mask = FTC_HASH_INITIAL_SIZE - 1; > cache->slack = FTC_HASH_INITIAL_SIZE * FTC_HASH_MAX_LOAD; > >- return ( FT_MEM_NEW_ARRAY( cache->buckets, FTC_HASH_INITIAL_SIZE * 2 ) ); >+ (void)FT_NEW_ARRAY( cache->buckets, FTC_HASH_INITIAL_SIZE * 2 ); >+ return error; > } > > >diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cffgload.c freetype-2.1.10.mandrk/src/cff/cffgload.c >--- freetype-2.1.10/src/cff/cffgload.c 2005-04-18 06:53:05.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/cff/cffgload.c 2006-06-20 20:17:17.000000000 +0200 >@@ -2284,7 +2284,7 @@ > FT_LOCAL_DEF( FT_Error ) > cff_slot_load( CFF_GlyphSlot glyph, > CFF_Size size, >- FT_Int glyph_index, >+ FT_UInt glyph_index, > FT_Int32 load_flags ) > { > FT_Error error; >@@ -2330,7 +2330,7 @@ > > error = sfnt->load_sbit_image( face, > (FT_ULong)size->strike_index, >- (FT_UInt)glyph_index, >+ glyph_index, > (FT_Int)load_flags, > stream, > &glyph->root.bitmap, >@@ -2393,7 +2393,12 @@ > /* subsetted font, glyph_indices and CIDs are identical, though */ > if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && > cff->charset.cids ) >- glyph_index = cff->charset.cids[glyph_index]; >+ { >+ if ( glyph_index < cff->charset.max_cid ) >+ glyph_index = cff->charset.cids[glyph_index]; >+ else >+ glyph_index = 0; >+ } > > cff_decoder_init( &decoder, face, size, glyph, hinting, > FT_LOAD_TARGET_MODE( load_flags ) ); >diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cffgload.h freetype-2.1.10.mandrk/src/cff/cffgload.h >--- freetype-2.1.10/src/cff/cffgload.h 2004-05-13 23:59:17.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/cff/cffgload.h 2006-06-20 20:17:17.000000000 +0200 >@@ -196,7 +196,7 @@ > FT_LOCAL( FT_Error ) > cff_slot_load( CFF_GlyphSlot glyph, > CFF_Size size, >- FT_Int glyph_index, >+ FT_UInt glyph_index, > FT_Int32 load_flags ); > > >diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cffload.c freetype-2.1.10.mandrk/src/cff/cffload.c >--- freetype-2.1.10/src/cff/cffload.c 2005-05-06 07:49:46.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/cff/cffload.c 2006-06-20 20:17:29.000000000 +0200 >@@ -1235,7 +1235,7 @@ > } > > /* access element */ >- if ( off1 ) >+ if ( off1 && off2 > off1 ) > { > *pbyte_len = off2 - off1; > >@@ -1688,6 +1688,8 @@ > > for ( i = 0; i < num_glyphs; i++ ) > charset->cids[charset->sids[i]] = (FT_UShort)i; >+ >+ charset->max_cid = max_cid; > } > > Exit: >@@ -2011,7 +2013,7 @@ > > if ( error ) > goto Exit; >- >+ > /* if it is a CID font, we stop there */ > if ( top->cid_registry != 0xFFFFU ) > goto Exit; >@@ -2040,6 +2042,9 @@ > FT_FRAME_EXIT(); > if ( error ) > goto Exit; >+ >+ /* ensure that 'num_blue_values' is even */ >+ priv->num_blue_values &= ~1; > } > > /* read the local subrs, if any */ >@@ -2293,8 +2298,6 @@ > { > for ( idx = 0; idx < font->num_subfonts; idx++ ) > cff_subfont_done( memory, font->subfonts[idx] ); >- >- FT_FREE( font->subfonts ); > } > > cff_encoding_done( &font->encoding ); >diff -uNr -x '*.orig' freetype-2.1.10/src/cff/cfftypes.h freetype-2.1.10.mandrk/src/cff/cfftypes.h >--- freetype-2.1.10/src/cff/cfftypes.h 2003-12-20 08:30:05.000000000 +0100 >+++ freetype-2.1.10.mandrk/src/cff/cfftypes.h 2006-06-20 20:17:17.000000000 +0200 >@@ -84,6 +84,7 @@ > FT_UShort* sids; > FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ > /* for CID-keyed fonts */ >+ FT_UInt max_cid; > } CFF_CharsetRec, *CFF_Charset; > > >diff -uNr -x '*.orig' freetype-2.1.10/src/gzip/ftgzip.c freetype-2.1.10.mandrk/src/gzip/ftgzip.c >--- freetype-2.1.10/src/gzip/ftgzip.c 2005-03-16 02:35:17.000000000 +0100 >+++ freetype-2.1.10.mandrk/src/gzip/ftgzip.c 2006-06-20 20:17:22.000000000 +0200 >@@ -99,12 +99,12 @@ > uInt size ) > { > FT_ULong sz = (FT_ULong)size * items; >+ FT_Error error; > FT_Pointer p; > > >- FT_MEM_ALLOC( p, sz ); >- >- return (voidpf) p; >+ (void)FT_ALLOC( p, sz ); >+ return p; > } > > >diff -uNr -x '*.orig' freetype-2.1.10/src/pcf/pcfdrivr.c freetype-2.1.10.mandrk/src/pcf/pcfdrivr.c >--- freetype-2.1.10/src/pcf/pcfdrivr.c 2004-07-28 02:09:02.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/pcf/pcfdrivr.c 2006-06-20 20:17:21.000000000 +0200 >@@ -213,7 +213,7 @@ > > FT_FREE( prop->name ); > if ( prop->isString ) >- FT_FREE( prop->value ); >+ FT_FREE( prop->value.atom ); > } > > FT_FREE( face->properties ); >diff -uNr -x '*.orig' freetype-2.1.10/src/pshinter/pshglob.c freetype-2.1.10.mandrk/src/pshinter/pshglob.c >--- freetype-2.1.10/src/pshinter/pshglob.c 2004-04-02 09:13:53.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/pshinter/pshglob.c 2006-06-20 20:17:29.000000000 +0200 >@@ -150,7 +150,7 @@ > FT_UNUSED( target ); > > >- for ( ; read_count > 0; read_count -= 2 ) >+ for ( ; read_count > 1; read_count -= 2 ) > { > FT_Int reference, delta; > FT_UInt count; >diff -uNr -x '*.orig' freetype-2.1.10/src/raster/ftrend1.c freetype-2.1.10.mandrk/src/raster/ftrend1.c >--- freetype-2.1.10/src/raster/ftrend1.c 2005-05-11 17:01:49.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/raster/ftrend1.c 2006-06-20 20:17:22.000000000 +0200 >@@ -175,7 +175,7 @@ > bitmap->rows = height; > bitmap->pitch = pitch; > >- if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) ) >+ if ( FT_ALLOC_MULT( bitmap->buffer, pitch, height ) ) > goto Exit; > > slot->internal->flags |= FT_GLYPH_OWN_BITMAP; >diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/sfobjs.c freetype-2.1.10.mandrk/src/sfnt/sfobjs.c >--- freetype-2.1.10/src/sfnt/sfobjs.c 2005-05-21 19:22:28.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/sfnt/sfobjs.c 2006-06-20 20:17:22.000000000 +0200 >@@ -47,11 +47,12 @@ > FT_String* string; > FT_UInt len, code, n; > FT_Byte* read = (FT_Byte*)entry->string; >- >+ FT_Error error; >+ > > len = (FT_UInt)entry->stringLength / 2; > >- if ( FT_MEM_NEW_ARRAY( string, len + 1 ) ) >+ if ( FT_NEW_ARRAY( string, len + 1 ) ) > return NULL; > > for ( n = 0; n < len; n++ ) >@@ -77,11 +78,12 @@ > FT_String* string; > FT_UInt len, code, n; > FT_Byte* read = (FT_Byte*)entry->string; >- >+ FT_Error error; >+ > > len = (FT_UInt)entry->stringLength / 4; > >- if ( FT_MEM_NEW_ARRAY( string, len + 1 ) ) >+ if ( FT_NEW_ARRAY( string, len + 1 ) ) > return NULL; > > for ( n = 0; n < len; n++ ) >@@ -107,11 +109,12 @@ > FT_String* string; > FT_UInt len, code, n; > FT_Byte* read = (FT_Byte*)entry->string; >- >+ FT_Error error; >+ > > len = (FT_UInt)entry->stringLength; > >- if ( FT_MEM_NEW_ARRAY( string, len + 1 ) ) >+ if ( FT_NEW_ARRAY( string, len + 1 ) ) > return NULL; > > for ( n = 0; n < len; n++ ) >diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/ttcmap.c freetype-2.1.10.mandrk/src/sfnt/ttcmap.c >--- freetype-2.1.10/src/sfnt/ttcmap.c 2005-05-11 16:37:40.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/sfnt/ttcmap.c 2006-06-20 20:17:17.000000000 +0200 >@@ -2144,9 +2144,7 @@ > charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ > offset = TT_NEXT_ULONG( p ); > >- if ( offset && >- table + offset + 2 < limit && >- table + offset >= table ) >+ if ( offset && offset <= face->cmap_size - 2 ) > { > FT_Byte* cmap = table + offset; > volatile FT_UInt format = TT_PEEK_USHORT( cmap ); >diff -uNr -x '*.orig' freetype-2.1.10/src/sfnt/ttpost.c freetype-2.1.10.mandrk/src/sfnt/ttpost.c >--- freetype-2.1.10/src/sfnt/ttpost.c 2003-10-29 22:43:51.000000000 +0100 >+++ freetype-2.1.10.mandrk/src/sfnt/ttpost.c 2006-06-20 20:17:22.000000000 +0200 >@@ -292,7 +292,7 @@ > goto Exit; > } > >- if ( FT_ALLOC( offset_table, num_glyphs ) || >+ if ( FT_NEW_ARRAY( offset_table, num_glyphs ) || > FT_STREAM_READ( offset_table, num_glyphs ) ) > goto Fail; > >diff -uNr -x '*.orig' freetype-2.1.10/src/truetype/ttgxvar.c freetype-2.1.10.mandrk/src/truetype/ttgxvar.c >--- freetype-2.1.10/src/truetype/ttgxvar.c 2005-05-22 07:49:48.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/truetype/ttgxvar.c 2006-06-20 20:17:22.000000000 +0200 >@@ -684,15 +684,17 @@ > goto Exit; > } > >- if ( FT_ALLOC( face->blend, sizeof ( GX_BlendRec ) ) ) >+ if ( FT_NEW( face->blend ) ) > goto Exit; > >+ /* XXX: TODO - check for overflows */ > face->blend->mmvar_len = > sizeof ( FT_MM_Var ) + > fvar_head.axisCount * sizeof ( FT_Var_Axis ) + > fvar_head.instanceCount * sizeof ( FT_Var_Named_Style ) + > fvar_head.instanceCount * fvar_head.axisCount * sizeof ( FT_Fixed ) + > 5 * fvar_head.axisCount; >+ > if ( FT_ALLOC( mmvar, face->blend->mmvar_len ) ) > goto Exit; > face->blend->mmvar = mmvar; >diff -uNr -x '*.orig' freetype-2.1.10/src/type1/t1load.c freetype-2.1.10.mandrk/src/type1/t1load.c >--- freetype-2.1.10/src/type1/t1load.c 2005-04-14 13:39:28.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/type1/t1load.c 2006-06-20 20:17:29.000000000 +0200 >@@ -1990,6 +1990,9 @@ > if ( error ) > goto Exit; > >+ /* ensure even-ness of 'num_blue_values' */ >+ priv->num_blue_values &= ~1; >+ > #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT > > /* the following can happen for MM instances; we then treat the */ >diff -uNr -x '*.orig' freetype-2.1.10/src/winfonts/winfnt.c freetype-2.1.10.mandrk/src/winfonts/winfnt.c >--- freetype-2.1.10/src/winfonts/winfnt.c 2004-06-15 16:13:10.000000000 +0200 >+++ freetype-2.1.10.mandrk/src/winfonts/winfnt.c 2006-06-20 20:17:22.000000000 +0200 >@@ -633,7 +633,7 @@ > > /* note: since glyphs are stored in columns and not in rows we */ > /* can't use ft_glyphslot_set_bitmap */ >- if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) ) >+ if ( FT_ALLOC_MULT( bitmap->buffer, pitch, bitmap->rows ) ) > goto Exit; > > column = (FT_Byte*)bitmap->buffer;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=89651">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 137388
: 89651
