From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 8 Dec 2014 16:01:50 +0100 Subject: [PATCH] [pcf] Fix Savannah bug #43774. Work around `features' of X11's `pcfWriteFont' and `pcfReadFont' functions. Since the PCF format doesn't have an official specification, we have to exactly follow these functions' behaviour. The problem was unveiled with a patch from 2014-11-06, fixing issue #43547. * src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last element. Instead, assign real size. --- ChangeLog | 14 ++++++++++++++ src/pcf/pcfread.c | 54 +++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 998cbed..e3caf82 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -95,9 +95,11 @@ THE SOFTWARE. FT_Memory memory = FT_FACE(face)->memory; FT_UInt n; + FT_ULong size; - if ( FT_STREAM_SEEK ( 0 ) || - FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) ) + + if ( FT_STREAM_SEEK( 0 ) || + FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) ) return PCF_Err_Cannot_Open_Resource; if ( toc->version != PCF_FILE_VERSION || @@ -151,14 +153,35 @@ THE SOFTWARE. break; } - /* we now check whether the `size' and `offset' values are reasonable: */ - /* `offset' + `size' must not exceed the stream size */ + /* + * We now check whether the `size' and `offset' values are reasonable: + * `offset' + `size' must not exceed the stream size. + * + * Note, however, that X11's `pcfWriteFont' routine (used by the + * `bdftopcf' program to create PDF font files) has two special + * features. + * + * - It always assigns the accelerator table a size of 100 bytes in the + * TOC, regardless of its real size, which can vary between 34 and 72 + * bytes. + * + * - Due to the way the routine is designed, it ships out the last font + * table with its real size, ignoring the TOC's size value. Since + * the TOC size values are always rounded up to a multiple of 4, the + * difference can be up to three bytes for all tables except the + * accelerator table, for which the difference can be as large as 66 + * bytes. + * + */ + tables = face->toc.tables; - for ( n = 0; n < toc->count; n++ ) + size = stream->size; + + for ( n = 0; n < toc->count - 1; n++ ) { /* we need two checks to avoid overflow */ - if ( ( tables->size > stream->size ) || - ( tables->offset > stream->size - tables->size ) ) + if ( ( tables->size > size ) || + ( tables->offset > size - tables->size ) ) { error = PCF_Err_Invalid_Table; goto Exit; @@ -166,6 +189,15 @@ THE SOFTWARE. tables++; } + /* no check of `tables->size' for last table element ... */ + if ( ( tables->offset > size ) ) + { + error = PCF_Err_Invalid_Table; + goto Exit; + } + /* ... instead, we adjust `tables->size' to the real value */ + tables->size = size - tables->offset; + #ifdef FT_DEBUG_LEVEL_TRACE { @@ -714,8 +746,8 @@ THE SOFTWARE. FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps )); - /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */ - if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics ) + /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */ + if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics ) return PCF_Err_Invalid_File_Format; if ( FT_NEW_ARRAY( offsets, nbitmaps ) ) -- 2.1.0