From f9fa1c8b7789b43225fd03c7e5e642e7c36ff23f Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 18 Jun 2007 17:00:05 +0000
Subject: [PATCH] * src/psaux/psobjs.c (ps_parser_skip_PS_token): Remove
 incorrect assertion. (ps_parser_to_bytes): Fix error message.

* src/type42/t42objs.c (T42_Open_Face): Handle one more error
return.
* src/type42/t42parse.c (t42_parse_sfnts): s/alloc/allocated/.
Don't allow mixed binary and hex strings.
Handle zero string_size == 0 and string_buf == 0.
---
 ChangeLog             | 12 ++++++++++++
 src/psaux/psobjs.c    |  3 +--
 src/type42/t42objs.c  |  4 +++-
 src/type42/t42parse.c | 30 ++++++++++++++++++++++++++----
 4 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8ce35681f..ddfe517da 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2006-06-18  Werner Lemberg  <wl@gnu.org>
+
+	* src/psaux/psobjs.c (ps_parser_skip_PS_token): Remove incorrect
+	assertion.
+	(ps_parser_to_bytes): Fix error message.
+
+	* src/type42/t42objs.c (T42_Open_Face): Handle one more error
+	return.
+	* src/type42/t42parse.c (t42_parse_sfnts): s/alloc/allocated/.
+	Don't allow mixed binary and hex strings.
+	Handle zero string_size == 0 and string_buf == 0.
+
 2006-06-18  Werner Lemberg  <wl@gnu.org>
 
 	* src/psaux/psobjs.c (ps_tofixedarray, ps_tocoordarray): Fix exit
diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
index 0ea81cd54..957085668 100644
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -592,7 +592,6 @@
       error = PSaux_Err_Invalid_File_Format;
     }
 
-    FT_ASSERT( parser->error == PSaux_Err_Ok );
     parser->error  = error;
     parser->cursor = cur;
   }
@@ -1338,7 +1337,7 @@
     {
       if ( cur < parser->limit && *cur != '>' )
       {
-        FT_ERROR(( "ps_tobytes: Missing closing delimiter `>'\n" ));
+        FT_ERROR(( "ps_parser_to_bytes: Missing closing delimiter `>'\n" ));
         error = PSaux_Err_Invalid_File_Format;
         goto Exit;
       }
diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
index ecd047364..db04fde36 100644
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Type 42 objects manager (body).                                      */
 /*                                                                         */
-/*  Copyright 2002, 2003, 2004, 2005, 2006 by Roberto Alameda.             */
+/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007 by Roberto Alameda.       */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
 /*  modified, and distributed under the terms of the FreeType project      */
@@ -55,6 +55,8 @@
 
     error = t42_parse_dict( face, &loader,
                             parser->base_dict, parser->base_len );
+    if ( error )
+      goto Exit;
 
     if ( type1->font_type != 42 )
     {
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 923398558..c60b3afc8 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Type 42 font parser (body).                                          */
 /*                                                                         */
-/*  Copyright 2002, 2003, 2004, 2005, 2006 by Roberto Alameda.             */
+/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007 by Roberto Alameda.       */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
 /*  modified, and distributed under the terms of the FreeType project      */
@@ -490,7 +490,7 @@
 
     FT_Long     n, string_size, old_string_size, real_size;
     FT_Byte*    string_buf = NULL;
-    FT_Bool     alloc      = 0;
+    FT_Bool     allocated  = 0;
 
     T42_Load_Status  status;
 
@@ -545,7 +545,7 @@
         if ( FT_REALLOC( string_buf, old_string_size, string_size ) )
           goto Fail;
 
-        alloc = 1;
+        allocated = 1;
 
         parser->root.cursor = cur;
         (void)T1_ToBytes( parser, string_buf, string_size, &real_size, 1 );
@@ -555,6 +555,14 @@
 
       else if ( ft_isdigit( *cur ) )
       {
+        if ( allocated )
+        {
+          FT_ERROR(( "t42_parse_sfnts: "
+                     "can't handle mixed binary and hex strings!\n" ));
+          error = T42_Err_Invalid_File_Format;
+          goto Fail;
+        }
+
         string_size = T1_ToInt( parser );
 
         T1_Skip_PS_Token( parser );             /* `RD' */
@@ -572,10 +580,24 @@
         }
       }
 
+      if ( !string_buf )
+      {
+        FT_ERROR(( "t42_parse_sfnts: invalid data in sfnts array!\n" ));
+        error = T42_Err_Invalid_File_Format;
+        goto Fail;
+      }
+
       /* A string can have a trailing zero byte for padding.  Ignore it. */
       if ( string_buf[string_size - 1] == 0 && ( string_size % 2 == 1 ) )
         string_size--;
 
+      if ( !string_size )
+      {
+        FT_ERROR(( "t42_parse_sfnts: invalid string!\n" ));
+        error = T42_Err_Invalid_File_Format;
+        goto Fail;
+      }
+
       for ( n = 0; n < string_size; n++ )
       {
         switch ( status )
@@ -654,7 +676,7 @@
     parser->root.error = error;
 
   Exit:
-    if ( alloc )
+    if ( allocated )
       FT_FREE( string_buf );
   }