|
 |
43e195 |
commit 453316792fee912cfced48e9e270e9eb19892e64
|
|
|
43e195 |
Author: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
|
|
43e195 |
Date: Wed Nov 26 16:02:17 2014 +0900
|
|
|
43e195 |
|
|
|
43e195 |
* src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long
|
|
|
43e195 |
variables to read the lengths in POST fragments. Suggested by
|
|
|
43e195 |
Mateusz Jurczyk <mjurczyk@google.com>.
|
|
|
43e195 |
|
|
|
43e195 |
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
|
|
|
43e195 |
index 922216e..dfad24a 100644
|
|
|
43e195 |
--- a/src/base/ftobjs.c
|
|
|
43e195 |
+++ b/src/base/ftobjs.c
|
|
|
43e195 |
@@ -1545,9 +1545,9 @@
|
|
|
43e195 |
FT_Memory memory = library->memory;
|
|
|
43e195 |
FT_Byte* pfb_data = NULL;
|
|
|
43e195 |
int i, type, flags;
|
|
|
43e195 |
- FT_Long len;
|
|
|
43e195 |
- FT_Long pfb_len, pfb_pos, pfb_lenpos;
|
|
|
43e195 |
- FT_Long rlen, temp;
|
|
|
43e195 |
+ FT_ULong len;
|
|
|
43e195 |
+ FT_ULong pfb_len, pfb_pos, pfb_lenpos;
|
|
|
43e195 |
+ FT_ULong rlen, temp;
|
|
|
43e195 |
|
|
|
43e195 |
|
|
|
43e195 |
if ( face_index == -1 )
|
|
|
43e195 |
@@ -1563,25 +1563,25 @@
|
|
|
43e195 |
error = FT_Stream_Seek( stream, offsets[i] );
|
|
|
43e195 |
if ( error )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
- if ( FT_READ_LONG( temp ) )
|
|
|
43e195 |
+ if ( FT_READ_ULONG( temp ) )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
- if ( 0 > temp )
|
|
|
43e195 |
+ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp));
|
|
|
43e195 |
+ if ( 0x7FFFFFFFUL < temp )
|
|
|
43e195 |
+ {
|
|
|
43e195 |
error = FT_Err_Invalid_Offset;
|
|
|
43e195 |
- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
|
|
|
43e195 |
- error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
-
|
|
|
43e195 |
- if ( error )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
+ }
|
|
|
43e195 |
|
|
|
43e195 |
pfb_len += temp + 6;
|
|
|
43e195 |
}
|
|
|
43e195 |
|
|
|
43e195 |
- if ( 0x7FFFFFFFL - 2 < pfb_len )
|
|
|
43e195 |
+ FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n",
|
|
|
43e195 |
+ resource_cnt, pfb_len + 2));
|
|
|
43e195 |
+ if ( pfb_len + 2 < 6 ) {
|
|
|
43e195 |
error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
- else
|
|
|
43e195 |
- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
|
|
|
43e195 |
-
|
|
|
43e195 |
- if ( error )
|
|
|
43e195 |
+ goto Exit;
|
|
|
43e195 |
+ }
|
|
|
43e195 |
+ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
|
|
|
43e195 |
pfb_data[0] = 0x80;
|
|
|
43e195 |
@@ -1600,21 +1602,25 @@
|
|
|
43e195 |
error = FT_Stream_Seek( stream, offsets[i] );
|
|
|
43e195 |
if ( error )
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
- if ( FT_READ_LONG( rlen ) )
|
|
|
43e195 |
+ if ( FT_READ_ULONG( rlen ) )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
- if ( rlen < 0 )
|
|
|
43e195 |
+ if ( 0x7FFFFFFFUL < rlen )
|
|
|
43e195 |
{
|
|
|
43e195 |
error = FT_Err_Invalid_Offset;
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
}
|
|
|
43e195 |
if ( FT_READ_USHORT( flags ) )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
|
|
|
43e195 |
i, offsets[i], rlen, flags ));
|
|
|
43e195 |
|
|
|
43e195 |
+ error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
/* postpone the check of rlen longer than buffer until FT_Stream_Read() */
|
|
|
43e195 |
if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
|
|
|
43e195 |
+ {
|
|
|
43e195 |
+ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i ));
|
|
|
43e195 |
continue;
|
|
|
43e195 |
+ }
|
|
|
43e195 |
|
|
|
43e195 |
/* the flags are part of the resource, so rlen >= 2. */
|
|
|
43e195 |
/* but some fonts declare rlen = 0 for empty fragment */
|
|
|
43e195 |
@@ -1624,16 +1632,10 @@
|
|
|
43e195 |
rlen = 0;
|
|
|
43e195 |
|
|
|
43e195 |
if ( ( flags >> 8 ) == type )
|
|
|
43e195 |
- {
|
|
|
43e195 |
- if ( 0x7FFFFFFFL - rlen < len )
|
|
|
43e195 |
- {
|
|
|
43e195 |
- error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
- goto Exit2;
|
|
|
43e195 |
- }
|
|
|
43e195 |
len += rlen;
|
|
|
43e195 |
- }
|
|
|
43e195 |
else
|
|
|
43e195 |
{
|
|
|
43e195 |
+ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos ));
|
|
|
43e195 |
if ( pfb_lenpos + 3 > pfb_len + 2 )
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
|
|
|
43e195 |
@@ -1644,6 +1646,7 @@
|
|
|
43e195 |
if ( ( flags >> 8 ) == 5 ) /* End of font mark */
|
|
|
43e195 |
break;
|
|
|
43e195 |
|
|
|
43e195 |
+ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos ));
|
|
|
43e195 |
if ( pfb_pos + 6 > pfb_len + 2 )
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
pfb_data[pfb_pos++] = 0x80;
|
|
|
43e195 |
@@ -1659,21 +1662,17 @@
|
|
|
43e195 |
pfb_data[pfb_pos++] = 0;
|
|
|
43e195 |
}
|
|
|
43e195 |
|
|
|
43e195 |
- error = FT_Err_Cannot_Open_Resource;
|
|
|
43e195 |
- if ( rlen > 0x7FFFFFFFL - pfb_pos )
|
|
|
43e195 |
- {
|
|
|
43e195 |
- error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
- goto Exit2;
|
|
|
43e195 |
- }
|
|
|
43e195 |
if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
|
|
|
43e195 |
+ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos ));
|
|
|
43e195 |
error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
|
|
|
43e195 |
if ( error )
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
pfb_pos += rlen;
|
|
|
43e195 |
}
|
|
|
43e195 |
|
|
|
43e195 |
+ error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
if ( pfb_pos + 2 > pfb_len + 2 )
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
pfb_data[pfb_pos++] = 0x80;
|
|
|
43e195 |
@@ -1694,6 +1693,12 @@
|
|
|
43e195 |
aface );
|
|
|
43e195 |
|
|
|
43e195 |
Exit2:
|
|
|
43e195 |
+ if ( error == FT_Err_Array_Too_Large )
|
|
|
43e195 |
+ FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" ));
|
|
|
43e195 |
+ else if ( error == FT_Err_Invalid_Offset )
|
|
|
43e195 |
+ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" ));
|
|
|
43e195 |
+ if ( error )
|
|
|
43e195 |
+ error = FT_Err_Cannot_Open_Resource;
|
|
|
43e195 |
FT_FREE( pfb_data );
|
|
|
43e195 |
|
|
|
43e195 |
Exit:
|