Initial fix for Savannah bug #30306.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen' the length of fragment declared in the POST fragment header and prevent an underflow in length calculation. Some fonts set the length to zero in spite of the exist of following 16bit `type'. Reported by Robert Swiecki.
15 years ago · 5ef20c8c1d
parent f29f741efb
commit 5ef20c8c1d
2 changed files with 20 additions and 1 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2010-07-01  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	Initial fix for Savannah bug #30306.
+
+	* src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen'
+	the length of fragment declared in the POST fragment header
+	and prevent an underflow in length calculation. Some fonts
+	set the length to zero in spite of the exist of following
+	16bit `type'. Reported by Robert Swiecki.
+
 2010-07-01  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>

 	Additional fix for Savannah bug #30248 and #30249.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@ -1547,7 +1547,16 @@
        goto Exit;
      if ( FT_READ_USHORT( flags ) )
        goto Exit;
-      rlen -= 2;                    /* the flags are part of the resource */
+      FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+                   i, offsets[i], rlen, flags ));
+
+      /* the flags are part of the resource, so rlen >= 2.  */
+      /* but some fonts declare rlen = 0 for empty fragment */
+      if ( rlen > 2 )
+        rlen -= 2;
+      else
+        rlen = 0;
+
      if ( ( flags >> 8 ) == type )
        len += rlen;
      else