Minor fixes.

* src/cff/cffload.c (cff_charset_compute_cids): `charset->sids[i]'
is `FT_UShort'.
(cff_index_access_element): Don't use additions in comparison.
* src/sfnt/ttpost.c (load_format_20): Make `post_limit' of type
`FT_Long'.
Don't use additions in comparison.
Improve tracing messages.
(load_format_25, load_post_names): Make `post_limit' of type
`FT_Long'.

ChangeLog

@@ -1,13 +1,27 @@
+2010-09-19  Werner Lemberg  <wl@gnu.org>
+
+	Minor fixes.
+
+	* src/cff/cffload.c (cff_charset_compute_cids): `charset->sids[i]'
+	is `FT_UShort'.
+	(cff_index_access_element): Don't use additions in comparison.
+	* src/sfnt/ttpost.c (load_format_20): Make `post_limit' of type
+	`FT_Long'.
+	Don't use additions in comparison.
+	Improve tracing messages.
+	(load_format_25, load_post_names): Make `post_limit' of type
+	`FT_Long'.
+
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
  
 	[cff] Truncate the element length at the end of the stream.
 	See Savannah bug #30975.
  
-	* src/cff/cffload.c (cff_index_access_element): `off2', the
- 	offset to the next element is truncated at the end of the
-	stream to prevent invalid I/O.  As `off1', the offset to the
-	requested element has been checked by FT_STREAM_SEEK(),
-	`off2' should be checked similarly.
+	* src/cff/cffload.c (cff_index_access_element): `off2', the offset
+ 	to the next element is truncated at the end of the stream to prevent
+ 	invalid I/O.  As `off1', the offset to the requested element has
+ 	been checked by FT_STREAM_SEEK(), `off2' should be checked
+ 	similarly.
 
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
@@ -15,17 +29,17 @@
 	See Savannah bug #30975.
 
 	* src/cff/cffload.c (cff_charset_compute_cids): Ignore CID if
-	greater than 0xFFFFU.  CFF font spec does not mention about
-	maximum CID in the font, but PostScript and PDF spec define
-	that maximum CID is 0xFFFFU.
+	greater than 0xFFFFU.  CFF font spec does not mention maximum CID in
+	the font, but PostScript and PDF spec define that maximum CID is
+	0xFFFFU.
 
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	[cff] Make trace message in cff_charset_load() verbose.
 	See Savannah bug #30975.
 
-	* src/cff/cffload.c (cff_charset_load): Report the original
-	`nleft' and truncated `nleft'.
+	* src/cff/cffload.c (cff_charset_load): Report the original `nleft'
+	and truncated `nleft'.
 
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
@@ -33,45 +47,47 @@
 	See Savannah bug #30975.
 
 	* src/cff/cffload.c (cff_charset_compute_cids): Don't increment
-	max_cid after detecting max CID.  The array CFF_Charset->cids
-	is allocated by max_cid + 1.
-	(cff_charset_cid_to_gindex): Permit CID is less than or equal
-	to CFF_Charset->max_cid.
+	max_cid after detecting max CID.  The array CFF_Charset->cids is
+	allocated by max_cid + 1.
+	(cff_charset_cid_to_gindex): Permit CID is less than or equal to
+	CFF_Charset->max_cid.
 	* src/cff/cffobjs.c (cff_face_init): FT_Face->num_glyphs is
 	calculated as CFF_Charset->max_cid + 1.
 
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	[truetype] Sanitize the broken offsets in `loca'.
+	See Savannah bug #31040.
 
 	* src/truetype/ttpload.c (tt_face_get_location): If `pos1', the
 	offset to the requested entry in `glyf' exceeds the end of the
-	table, return offset=0, length=0.  If `pos2', the offset to the
-	next entry in `glyf' exceeds the end of the table, truncate
-	the entry length at the end of `glyf' table.
-	See Savannah bug #31040.
+	table, return offset=0, length=0.  If `pos2', the offset to the next
+	entry in `glyf' exceeds the end of the table, truncate the entry
+	length at the end of `glyf' table.
 
 2010-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	[sfnt] Prevent overrunning in `post' table parser.
+	See Savannah bug #31040.
 
-	* src/sfnt/ttpost.c (load_post_names): Get the length of
-	`post' table and pass the limit of `post' table to
-	load_format_20() and load_format_25().
-	(load_format_20): Stop the parsing when we reached at the
-	limit of `post' table.  If more glyph names are required,
-	they are filled by NULL names.  See Savannah bug #31040.
+	* src/sfnt/ttpost.c (load_post_names): Get the length of `post'
+	table and pass the limit of `post' table to load_format_20() and
+	load_format_25().
+	(load_format_20): Stop the parsing when we reached at the limit of
+	`post' table.  If more glyph names are required, they are filled by
+	NULL names.
 
 2010-09-17  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	[truetype] Don't duplicate size->twilight structure to be freed.
+	See Savannah bug #31040 for detail.
 
 	* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
 	FT_GlyphZoneRec size->twilight to be freed.  If duplicated,
 	FT_FREE() erases the duplicated pointers only and leave original
 	pointers.  They can cause the double-free crash when the burst
-	errors occur in TrueType interpreter and free_buffer_in_size()
-	is invoked repeatedly.  See Savannah bug #31040 for detail.
+	errors occur in TrueType interpreter and free_buffer_in_size() is
+	invoked repeatedly.
 
 2010-09-15  Werner Lemberg  <wl@gnu.org>
 

src/cff/cffload.c

@@ -519,9 +519,10 @@
         }
       }
 
-      /* XXX: should check off2 does not exceed the end of this entry   */
-      /*      at present, only truncate off 2 at the end of this stream */
-      if ( idx->data_offset + off2 - 1 > stream->size )
+      /* XXX: should check off2 does not exceed the end of this entry; */
+      /*      at present, only truncate off2 at the end of this stream */
+      if ( off2 > stream->size + 1                    ||
+           idx->data_offset > stream->size - off2 + 1 )
       {
         FT_ERROR(( "cff_index_access_element:"
                    " offset to next entry (%d)"
@@ -791,16 +792,11 @@
 
     for ( i = 0; i < num_glyphs; i++ )
     {
-      if ( charset->sids[i] > 0xFFFFU )
-        FT_ERROR(( "cff_charset_compute_cids():"
-                   " ignore CID (0x%lx) for SID (0x%lx),"
-                   " greater than PS/PDF spec\n",
-                   charset->sids[i], i ));
-      else if ( charset->sids[i] > max_cid )
+      if ( charset->sids[i] > max_cid )
         max_cid = charset->sids[i];
     }
 
-    if ( FT_NEW_ARRAY( charset->cids, max_cid + 1 ) )
+    if ( FT_NEW_ARRAY( charset->cids, (FT_ULong)max_cid + 1 ) )
       goto Exit;
 
     /* When multiple GIDs map to the same CID, we choose the lowest */

src/sfnt/ttpost.c

@@ -5,7 +5,7 @@
 /*    Postcript name table processing for TrueType and OpenType fonts      */
 /*    (body).                                                              */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009 by             */
+/*  Copyright 1996-2001, 2002, 2003, 2006, 2007, 2008, 2009, 2010 by       */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -154,7 +154,7 @@
   static FT_Error
   load_format_20( TT_Face    face,
                   FT_Stream  stream,
-                  FT_ULong   post_limit )
+                  FT_Long    post_limit )
   {
     FT_Memory   memory = stream->memory;
     FT_Error    error;
@@ -231,30 +231,34 @@
         FT_UInt  len;
 
 
-        FT_TRACE7(( "load_format_20: %d byte left in post table\n",
-                     post_limit - FT_STREAM_POS() ));
-
         if ( FT_STREAM_POS() >= post_limit )
         {
           FT_ERROR(( "load_format_20:"
-                     " all entries in post table is already parsed,"
-                     " put NULL name for gid=%d\n", n ));
+                     " all entries in post table are already parsed,"
+                     " using NULL for gid %d\n", n ));
           len = 0;
         }
-        else if ( FT_READ_BYTE( len ) )
-          goto Fail1;
+        else
+        {
+          FT_TRACE6(( "load_format_20: %d byte left in post table\n",
+                      post_limit - FT_STREAM_POS() ));
 
-        if ( len > 0 && FT_STREAM_POS() + len > post_limit )
+          if ( FT_READ_BYTE( len ) )
+            goto Fail1;
+        }
+
+        if ( (FT_Int)len > post_limit                   ||
+             FT_STREAM_POS() > post_limit - (FT_Int)len )
         {
           FT_ERROR(( "load_format_20:"
-                     " too large string length (%d)"
-                     " truncate at the end of post table (%d byte left)\n",
+                     " exceeding string length (%d),"
+                     " truncating at end of post table (%d byte left)\n",
                      len, post_limit - FT_STREAM_POS() ));
           len = FT_MAX( 0, post_limit - FT_STREAM_POS() );
         }
 
         if ( FT_NEW_ARRAY( name_strings[n], len + 1 ) ||
-             FT_STREAM_READ  ( name_strings[n], len ) )
+             FT_STREAM_READ( name_strings[n], len   ) )
           goto Fail1;
 
         name_strings[n][len] = '\0';
@@ -294,7 +298,7 @@
   static FT_Error
   load_format_25( TT_Face    face,
                   FT_Stream  stream,
-                  FT_ULong   post_limit )
+                  FT_Long    post_limit )
   {
     FT_Memory  memory = stream->memory;
     FT_Error   error;
@@ -302,6 +306,8 @@
     FT_Int     num_glyphs;
     FT_Char*   offset_table = 0;
 
+    FT_UNUSED( post_limit );
+
 
     /* UNDOCUMENTED!  This value appears only in the Apple TT specs. */
     if ( FT_READ_USHORT( num_glyphs ) )
@@ -361,7 +367,8 @@
     FT_Stream  stream;
     FT_Error   error;
     FT_Fixed   format;
-    FT_ULong   post_len, post_limit;
+    FT_ULong   post_len;
+    FT_Long    post_limit;
 
 
     /* get a stream for the face's resource */