[type42] Fix Savannah bug #43659.

* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.

* src/type42/t42parse.c (t42_parse_sfnts): Always set
`face->ttf_size' directly.  This ensures a correct stream size in
the call to `FT_Open_Face', which follows after parsing, even for
buggy input data.
Fix error messages.

ChangeLog

@@ -1,3 +1,15 @@
+2014-11-22  Werner Lemberg  <wl@gnu.org>
+
+	[type42] Fix Savannah bug #43659.
+
+	* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
+
+	* src/type42/t42parse.c (t42_parse_sfnts): Always set
+	`face->ttf_size' directly.  This ensures a correct stream size in
+	the call to `FT_Open_Face', which follows after parsing, even for
+	buggy input data.
+	Fix error messages.
+
 2014-11-22  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Fix Savannah bug #43658.

src/type42/t42objs.c

@@ -47,6 +47,12 @@
     if ( FT_ALLOC( face->ttf_data, 12 ) )
       goto Exit;
 
+    /* while parsing the font we always update `face->ttf_size' so that */
+    /* even in case of buggy data (which might lead to premature end of */
+    /* scanning without causing an error) the call to `FT_Open_Face' in */
+    /* `T42_Face_Init' passes the correct size                          */
+    face->ttf_size = 12;
+
     error = t42_parser_init( parser,
                              face->root.stream,
                              memory,

src/type42/t42parse.c

@@ -524,7 +524,7 @@
     FT_Byte*    limit  = parser->root.limit;
     FT_Error    error;
     FT_Int      num_tables = 0;
-    FT_ULong    count, ttf_size = 0;
+    FT_ULong    count;
 
     FT_Long     n, string_size, old_string_size, real_size;
     FT_Byte*    string_buf = NULL;
@@ -617,7 +617,7 @@
 
         if ( limit - parser->root.cursor < string_size )
         {
-          FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+          FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
           error = FT_THROW( Invalid_File_Format );
           goto Fail;
         }
@@ -657,18 +657,18 @@
           }
           else
           {
-            num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
-            status     = BEFORE_TABLE_DIR;
-            ttf_size   = 12 + 16 * num_tables;
+            num_tables     = 16 * face->ttf_data[4] + face->ttf_data[5];
+            status         = BEFORE_TABLE_DIR;
+            face->ttf_size = 12 + 16 * num_tables;
 
-            if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
+            if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
               goto Fail;
           }
           /* fall through */
 
         case BEFORE_TABLE_DIR:
           /* the offset table is read; read the table directory */
-          if ( count < ttf_size )
+          if ( count < face->ttf_size )
           {
             face->ttf_data[count++] = string_buf[n];
             continue;
@@ -687,24 +687,23 @@
               len = FT_PEEK_ULONG( p );
 
               /* Pad to a 4-byte boundary length */
-              ttf_size += ( len + 3 ) & ~3;
+              face->ttf_size += ( len + 3 ) & ~3;
             }
 
-            status         = OTHER_TABLES;
-            face->ttf_size = ttf_size;
+            status = OTHER_TABLES;
 
             /* there are no more than 256 tables, so no size check here */
             if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
-                             ttf_size + 1 ) )
+                             face->ttf_size + 1 ) )
               goto Fail;
           }
           /* fall through */
 
         case OTHER_TABLES:
           /* all other tables are just copied */
-          if ( count >= ttf_size )
+          if ( count >= face->ttf_size )
           {
-            FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+            FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
             error = FT_THROW( Invalid_File_Format );
             goto Fail;
           }