From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001

From: Werner Lemberg <wl@gnu.org>

Date: Sat, 22 Nov 2014 09:46:47 +0000

Subject: [type42] Fix Savannah bug #43659.

* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.

* src/type42/t42parse.c (t42_parse_sfnts): Always set

`face->ttf_size' directly.  This ensures a correct stream size in

the call to `FT_Open_Face', which follows after parsing, even for

buggy input data.

Fix error messages.

---

diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c

index 798ebdb..7a9cb57 100644

--- a/src/type42/t42objs.c

+++ b/src/type42/t42objs.c

@@ -47,6 +47,12 @@

     if ( FT_ALLOC( face->ttf_data, 12 ) )

       goto Exit;

+    /* while parsing the font we always update `face->ttf_size' so that */

+    /* even in case of buggy data (which might lead to premature end of */

+    /* scanning without causing an error) the call to `FT_Open_Face' in */

+    /* `T42_Face_Init' passes the correct size                          */

+    face->ttf_size = 12;

+

     error = t42_parser_init( parser,

                              face->root.stream,

                              memory,

diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c

index a60e216..daf304d 100644

--- a/src/type42/t42parse.c

+++ b/src/type42/t42parse.c

@@ -498,7 +498,7 @@

     FT_Byte*    limit  = parser->root.limit;

     FT_Error    error;

     FT_Int      num_tables = 0;

-    FT_ULong    count, ttf_size = 0;

+    FT_ULong    count;

     FT_Long     n, string_size, old_string_size, real_size;

     FT_Byte*    string_buf = NULL;

@@ -591,7 +591,7 @@

         if ( limit - parser->root.cursor < string_size )

         {

-          FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));

+          FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));

           error = T42_Err_Invalid_File_Format;

           goto Fail;

         }

@@ -631,18 +631,18 @@

           }

           else

           {

-            num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];

-            status     = BEFORE_TABLE_DIR;

-            ttf_size   = 12 + 16 * num_tables;

+            num_tables     = 16 * face->ttf_data[4] + face->ttf_data[5];

+            status         = BEFORE_TABLE_DIR;

+            face->ttf_size = 12 + 16 * num_tables;

-            if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )

+            if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )

               goto Fail;

           }

           /* fall through */

         case BEFORE_TABLE_DIR:

           /* the offset table is read; read the table directory */

-          if ( count < ttf_size )

+          if ( count < face->ttf_size )

           {

             face->ttf_data[count++] = string_buf[n];

             continue;

@@ -661,24 +661,23 @@

               len = FT_PEEK_ULONG( p );

               /* Pad to a 4-byte boundary length */

-              ttf_size += ( len + 3 ) & ~3;

+              face->ttf_size += ( len + 3 ) & ~3;

             }

-            status         = OTHER_TABLES;

-            face->ttf_size = ttf_size;

+            status = OTHER_TABLES;

             /* there are no more than 256 tables, so no size check here */

             if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,

-                             ttf_size + 1 ) )

+                             face->ttf_size + 1 ) )

               goto Fail;

           }

           /* fall through */

         case OTHER_TABLES:

           /* all other tables are just copied */

-          if ( count >= ttf_size )

+          if ( count >= face->ttf_size )

           {

-            FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));

+            FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));

             error = T42_Err_Invalid_File_Format;

             goto Fail;

           }

--

cgit v0.9.0.2