diff options
Diffstat (limited to 'third_party/freetype/src/cid/cidgload.c')
-rw-r--r-- | third_party/freetype/src/cid/cidgload.c | 38 |
1 files changed, 25 insertions, 13 deletions
diff --git a/third_party/freetype/src/cid/cidgload.c b/third_party/freetype/src/cid/cidgload.c index d00674fe0d..b96c33334d 100644 --- a/third_party/freetype/src/cid/cidgload.c +++ b/third_party/freetype/src/cid/cidgload.c @@ -4,7 +4,7 @@ /* */ /* CID-keyed Type1 Glyph Loader (body). */ /* */ -/* Copyright 1996-2015 by */ +/* Copyright 1996-2017 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -100,7 +100,7 @@ /* and charstring offset from the CIDMap. */ { FT_UInt entry_len = (FT_UInt)( cid->fd_bytes + cid->gd_bytes ); - FT_ULong off1; + FT_ULong off1, off2; if ( FT_STREAM_SEEK( cid->data_offset + cid->cidmap_offset + @@ -108,18 +108,23 @@ FT_FRAME_ENTER( 2 * entry_len ) ) goto Exit; - p = (FT_Byte*)stream->cursor; - fd_select = cid_get_offset( &p, (FT_Byte)cid->fd_bytes ); - off1 = cid_get_offset( &p, (FT_Byte)cid->gd_bytes ); - p += cid->fd_bytes; - glyph_length = cid_get_offset( &p, (FT_Byte)cid->gd_bytes ) - off1; + p = (FT_Byte*)stream->cursor; + fd_select = cid_get_offset( &p, (FT_Byte)cid->fd_bytes ); + off1 = cid_get_offset( &p, (FT_Byte)cid->gd_bytes ); + p += cid->fd_bytes; + off2 = cid_get_offset( &p, (FT_Byte)cid->gd_bytes ); FT_FRAME_EXIT(); - if ( fd_select >= (FT_ULong)cid->num_dicts ) + if ( fd_select >= (FT_ULong)cid->num_dicts || + off2 > stream->size || + off1 > off2 ) { + FT_TRACE0(( "cid_load_glyph: invalid glyph stream offsets\n" )); error = FT_THROW( Invalid_Offset ); goto Exit; } + + glyph_length = off2 - off1; if ( glyph_length == 0 ) goto Exit; if ( FT_ALLOC( charstring, glyph_length ) ) @@ -137,9 +142,10 @@ /* Set up subrs */ - decoder->num_subrs = cid_subrs->num_subrs; - decoder->subrs = cid_subrs->code; - decoder->subrs_len = 0; + decoder->num_subrs = cid_subrs->num_subrs; + decoder->subrs = cid_subrs->code; + decoder->subrs_len = 0; + decoder->subrs_hash = NULL; /* Set up font matrix */ dict = cid->font_dicts + fd_select; @@ -152,6 +158,12 @@ /* Adjustment for seed bytes. */ cs_offset = decoder->lenIV >= 0 ? (FT_UInt)decoder->lenIV : 0; + if ( cs_offset > glyph_length ) + { + FT_TRACE0(( "cid_load_glyph: invalid glyph stream offsets\n" )); + error = FT_THROW( Invalid_Offset ); + goto Exit; + } /* Decrypt only if lenIV >= 0. */ if ( decoder->lenIV >= 0 ) @@ -162,8 +174,6 @@ glyph_length - cs_offset ); } - FT_FREE( charstring ); - #ifdef FT_CONFIG_OPTION_INCREMENTAL /* Incremental fonts can optionally override the metrics. */ @@ -188,6 +198,8 @@ #endif /* FT_CONFIG_OPTION_INCREMENTAL */ Exit: + FT_FREE( charstring ); + return error; } |