From 64872a50165d842d72c520f5f7e19124dbf7822d Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 2 Dec 2013 07:51:17 +0100 Subject: [PATCH] [truetype] Fix change from 2013-11-20. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Problem reported by Akira Kakuto . * src/truetype/ttgload.c (TT_Load_Simple_Glyph): Protect call to `Update_Max' with both a TT_USE_BYTECODE_INTERPRETER guard and a `IS_HINTED' clause. Also remove redundant check using `maxSizeOfInstructions' – in simple glyphs, the bytecode data comes before the outline data, and a validity test for this is already present. --- ChangeLog | 13 +++++++++++++ src/truetype/ttgload.c | 44 ++++++++++++++++-------------------------- 2 files changed, 30 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index 196bd7688..ca4699fbb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +2013-12-02 Werner Lemberg + + [truetype] Fix change from 2013-11-20. + + Problem reported by Akira Kakuto . + + * src/truetype/ttgload.c (TT_Load_Simple_Glyph): Protect call to + `Update_Max' with both a TT_USE_BYTECODE_INTERPRETER guard and a + `IS_HINTED' clause. + Also remove redundant check using `maxSizeOfInstructions' – in + simple glyphs, the bytecode data comes before the outline data, and + a validity test for this is already present. + 2013-11-27 Werner Lemberg [autofit] Fix use of dumping functions in `ftgrid' demo program. diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c index cc62f93b7..d459ec138 100644 --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -348,8 +348,7 @@ FT_GlyphLoader gloader = load->gloader; FT_Int n_contours = load->n_contours; FT_Outline* outline; - TT_Face face = (TT_Face)load->face; - FT_UShort n_ins, max_ins; + FT_UShort n_ins; FT_Int n_points; FT_ULong tmp; @@ -418,30 +417,6 @@ FT_TRACE5(( " Instructions size: %u\n", n_ins )); /* check it */ - max_ins = face->max_profile.maxSizeOfInstructions; - if ( n_ins > max_ins ) - { - /* don't trust `maxSizeOfInstructions'; */ - /* only do a rough safety check */ - if ( (FT_Int)n_ins > load->byte_len ) - { - FT_TRACE1(( "TT_Load_Simple_Glyph:" - " too many instructions (%d) for glyph with length %d\n", - n_ins, load->byte_len )); - return FT_THROW( Too_Many_Hints ); - } - - tmp = load->exec->glyphSize; - error = Update_Max( load->exec->memory, - &tmp, - sizeof ( FT_Byte ), - (void*)&load->exec->glyphIns, - n_ins ); - load->exec->glyphSize = (FT_UShort)tmp; - if ( error ) - return error; - } - if ( ( limit - p ) < n_ins ) { FT_TRACE0(( "TT_Load_Simple_Glyph: instruction count mismatch\n" )); @@ -453,6 +428,20 @@ if ( IS_HINTED( load->load_flags ) ) { + /* we don't trust `maxSizeOfInstructions' in the `maxp' table */ + /* and thus update the bytecode array size by ourselves */ + + tmp = load->exec->glyphSize; + error = Update_Max( load->exec->memory, + &tmp, + sizeof ( FT_Byte ), + (void*)&load->exec->glyphIns, + n_ins ); + + load->exec->glyphSize = (FT_UShort)tmp; + if ( error ) + return error; + load->glyph->control_len = n_ins; load->glyph->control_data = load->exec->glyphIns; @@ -1244,12 +1233,13 @@ return FT_THROW( Too_Many_Hints ); } - tmp = loader->exec->glyphSize; + tmp = loader->exec->glyphSize; error = Update_Max( loader->exec->memory, &tmp, sizeof ( FT_Byte ), (void*)&loader->exec->glyphIns, n_ins ); + loader->exec->glyphSize = (FT_UShort)tmp; if ( error ) return error;