diff options
author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2011-07-18 21:15:34 +0000 |
---|---|---|
committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2011-07-18 21:15:34 +0000 |
commit | c3f5725cdd6514c19a8acb33e5c4eff153abd527 (patch) | |
tree | ec2799bcbd3220d365d6b130fd34da5542aa4bd6 | |
parent | 18c040ad5197a47d908cba66fdac8e77c83809e4 (diff) |
Fix for CVE-2011-0226 from Freetype git repository.
-rw-r--r-- | lib/freetype/src/psaux/t1decode.c | 88 |
1 files changed, 47 insertions, 41 deletions
diff --git a/lib/freetype/src/psaux/t1decode.c b/lib/freetype/src/psaux/t1decode.c index ea31c51b1..daeea1e7e 100644 --- a/lib/freetype/src/psaux/t1decode.c +++ b/lib/freetype/src/psaux/t1decode.c @@ -4,8 +4,7 @@ /* */ /* PostScript Type 1 decoding routines (body). */ /* */ -/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 */ -/* 2010 by */ +/* Copyright 2000-2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -28,6 +27,8 @@ #include "psauxerr.h" +/* ensure proper sign extension */ +#define Fix2Int( f ) ( (FT_Int)(FT_Short)( (f) >> 16 ) ) /*************************************************************************/ /* */ @@ -662,7 +663,7 @@ if ( large_int ) FT_TRACE4(( " %ld", value )); else - FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) )); + FT_TRACE4(( " %ld", Fix2Int( value ) )); #endif *top++ = value; @@ -684,8 +685,8 @@ top -= 2; - subr_no = (FT_Int)( top[1] >> 16 ); - arg_cnt = (FT_Int)( top[0] >> 16 ); + subr_no = Fix2Int( top[1] ); + arg_cnt = Fix2Int( top[0] ); /***********************************************************/ /* */ @@ -724,6 +725,24 @@ switch ( subr_no ) { + case 0: /* end flex feature */ + if ( arg_cnt != 3 ) + goto Unexpected_OtherSubr; + + if ( decoder->flex_state == 0 || + decoder->num_flex_vectors != 7 ) + { + FT_ERROR(( "t1_decoder_parse_charstrings:" + " unexpected flex end\n" )); + goto Syntax_Error; + } + + /* the two `results' are popped by the following setcurrentpoint */ + top[0] = x; + top[1] = y; + known_othersubr_result_cnt = 2; + break; + case 1: /* start flex feature */ if ( arg_cnt != 0 ) goto Unexpected_OtherSubr; @@ -757,24 +776,6 @@ } break; - case 0: /* end flex feature */ - if ( arg_cnt != 3 ) - goto Unexpected_OtherSubr; - - if ( decoder->flex_state == 0 || - decoder->num_flex_vectors != 7 ) - { - FT_ERROR(( "t1_decoder_parse_charstrings:" - " unexpected flex end\n" )); - goto Syntax_Error; - } - - /* the two `results' are popped by the following setcurrentpoint */ - top[0] = x; - top[1] = y; - known_othersubr_result_cnt = 2; - break; - case 3: /* change hints */ if ( arg_cnt != 1 ) goto Unexpected_OtherSubr; @@ -818,17 +819,18 @@ goto Syntax_Error; } - /* we want to compute: */ + /* We want to compute */ /* */ - /* a0*w0 + a1*w1 + ... + ak*wk */ + /* a0*w0 + a1*w1 + ... + ak*wk */ /* */ - /* but we only have the a0, a1-a0, a2-a0, .. ak-a0 */ - /* however, given that w0 + w1 + ... + wk == 1, we can */ - /* rewrite it easily as: */ + /* but we only have a0, a1-a0, a2-a0, ..., ak-a0. */ /* */ - /* a0 + (a1-a0)*w1 + (a2-a0)*w2 + .. + (ak-a0)*wk */ + /* However, given that w0 + w1 + ... + wk == 1, we can */ + /* rewrite it easily as */ /* */ - /* where k == num_designs-1 */ + /* a0 + (a1-a0)*w1 + (a2-a0)*w2 + ... + (ak-a0)*wk */ + /* */ + /* where k == num_designs-1. */ /* */ /* I guess that's why it's written in this `compact' */ /* form. */ @@ -862,7 +864,7 @@ if ( arg_cnt != 1 || blend == NULL ) goto Unexpected_OtherSubr; - idx = (FT_Int)( top[0] >> 16 ); + idx = Fix2Int( top[0] ); if ( idx < 0 || idx + blend->num_designs > decoder->len_buildchar ) @@ -930,7 +932,7 @@ if ( arg_cnt != 2 || blend == NULL ) goto Unexpected_OtherSubr; - idx = (FT_Int)( top[1] >> 16 ); + idx = Fix2Int( top[1] ); if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar ) goto Unexpected_OtherSubr; @@ -951,7 +953,7 @@ if ( arg_cnt != 1 || blend == NULL ) goto Unexpected_OtherSubr; - idx = (FT_Int)( top[0] >> 16 ); + idx = Fix2Int( top[0] ); if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar ) goto Unexpected_OtherSubr; @@ -1009,11 +1011,15 @@ break; default: - FT_ERROR(( "t1_decoder_parse_charstrings:" - " unknown othersubr [%d %d], wish me luck\n", - arg_cnt, subr_no )); - unknown_othersubr_result_cnt = arg_cnt; - break; + if ( arg_cnt >= 0 && subr_no >= 0 ) + { + FT_ERROR(( "t1_decoder_parse_charstrings:" + " unknown othersubr [%d %d], wish me luck\n", + arg_cnt, subr_no )); + unknown_othersubr_result_cnt = arg_cnt; + break; + } + /* fall through */ Unexpected_OtherSubr: FT_ERROR(( "t1_decoder_parse_charstrings:" @@ -1139,8 +1145,8 @@ top[0], top[1], top[2], - (FT_Int)( top[3] >> 16 ), - (FT_Int)( top[4] >> 16 ) ); + Fix2Int( top[3] ), + Fix2Int( top[4] ) ); case op_sbw: FT_TRACE4(( " sbw" )); @@ -1324,7 +1330,7 @@ FT_TRACE4(( " callsubr" )); - idx = (FT_Int)( top[0] >> 16 ); + idx = Fix2Int( top[0] ); if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs ) { FT_ERROR(( "t1_decoder_parse_charstrings:" |