diff options
Diffstat (limited to 'third_party/freetype/src/type1/t1parse.c')
-rw-r--r-- | third_party/freetype/src/type1/t1parse.c | 51 |
1 files changed, 34 insertions, 17 deletions
diff --git a/third_party/freetype/src/type1/t1parse.c b/third_party/freetype/src/type1/t1parse.c index ccf9f4cc56..0b68502606 100644 --- a/third_party/freetype/src/type1/t1parse.c +++ b/third_party/freetype/src/type1/t1parse.c @@ -4,7 +4,7 @@ /* */ /* Type 1 parser (body). */ /* */ -/* Copyright 1996-2005, 2008, 2009, 2012-2014 by */ +/* Copyright 1996-2015 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -143,13 +143,13 @@ FT_ULong size; - psaux->ps_parser_funcs->init( &parser->root, 0, 0, memory ); + psaux->ps_parser_funcs->init( &parser->root, NULL, NULL, memory ); parser->stream = stream; parser->base_len = 0; - parser->base_dict = 0; + parser->base_dict = NULL; parser->private_len = 0; - parser->private_dict = 0; + parser->private_dict = NULL; parser->in_pfb = 0; parser->in_memory = 0; parser->single_block = 0; @@ -273,7 +273,7 @@ /* made of several segments. We thus first read the number of */ /* segments to compute the total size of the private dictionary */ /* then re-read them into memory. */ - FT_Long start_pos = FT_STREAM_POS(); + FT_ULong start_pos = FT_STREAM_POS(); FT_UShort tag; @@ -334,7 +334,6 @@ /* first of all, look at the `eexec' keyword */ FT_Byte* cur = parser->base_dict; FT_Byte* limit = cur + parser->base_len; - FT_Byte c; FT_Pointer pos_lf; FT_Bool test_cr; @@ -342,9 +341,9 @@ Again: for (;;) { - c = cur[0]; - if ( c == 'e' && cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */ - /* whitespace + 4 chars */ + if ( cur[0] == 'e' && + cur + 9 < limit ) /* 9 = 5 letters for `eexec' + */ + /* whitespace + 4 chars */ { if ( cur[1] == 'e' && cur[2] == 'x' && @@ -374,8 +373,15 @@ while ( cur < limit ) { - if ( *cur == 'e' && ft_strncmp( (char*)cur, "eexec", 5 ) == 0 ) - goto Found; + if ( cur[0] == 'e' && + cur + 5 < limit ) + { + if ( cur[1] == 'e' && + cur[2] == 'x' && + cur[3] == 'e' && + cur[4] == 'c' ) + goto Found; + } T1_Skip_PS_Token( parser ); if ( parser->root.error ) @@ -389,6 +395,15 @@ cur = limit; limit = parser->base_dict + parser->base_len; + + if ( cur >= limit ) + { + FT_ERROR(( "T1_Get_Private_Dict:" + " premature end in private dictionary\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Exit; + } + goto Again; /* now determine where to write the _encrypted_ binary private */ @@ -411,9 +426,11 @@ /* fine that are violating this limitation, so we add a heuristic */ /* test to stop at \r only if it is not used for EOL. */ - pos_lf = ft_memchr( cur, '\n', limit - cur ); - test_cr = FT_BOOL( !pos_lf || - pos_lf > ft_memchr( cur, '\r', limit - cur ) ); + pos_lf = ft_memchr( cur, '\n', (size_t)( limit - cur ) ); + test_cr = FT_BOOL( !pos_lf || + pos_lf > ft_memchr( cur, + '\r', + (size_t)( limit - cur ) ) ); while ( cur < limit && ( *cur == ' ' || @@ -429,7 +446,7 @@ goto Exit; } - size = (FT_ULong)( parser->base_len - ( cur - parser->base_dict ) ); + size = parser->base_len - (FT_ULong)( cur - parser->base_dict ); if ( parser->in_memory ) { @@ -443,7 +460,7 @@ parser->single_block = 1; parser->private_dict = parser->base_dict; parser->private_len = size; - parser->base_dict = 0; + parser->base_dict = NULL; parser->base_len = 0; } @@ -459,7 +476,7 @@ ft_isxdigit( cur[2] ) && ft_isxdigit( cur[3] ) ) { /* ASCII hexadecimal encoding */ - FT_Long len; + FT_ULong len; parser->root.cursor = cur; |