summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@cvs.openbsd.org>2011-07-18 21:15:34 +0000
committerMatthieu Herrb <matthieu@cvs.openbsd.org>2011-07-18 21:15:34 +0000
commitc3f5725cdd6514c19a8acb33e5c4eff153abd527 (patch)
treeec2799bcbd3220d365d6b130fd34da5542aa4bd6
parent18c040ad5197a47d908cba66fdac8e77c83809e4 (diff)
Fix for CVE-2011-0226 from Freetype git repository.
-rw-r--r--lib/freetype/src/psaux/t1decode.c88
1 files changed, 47 insertions, 41 deletions
diff --git a/lib/freetype/src/psaux/t1decode.c b/lib/freetype/src/psaux/t1decode.c
index ea31c51b1..daeea1e7e 100644
--- a/lib/freetype/src/psaux/t1decode.c
+++ b/lib/freetype/src/psaux/t1decode.c
@@ -4,8 +4,7 @@
/* */
/* PostScript Type 1 decoding routines (body). */
/* */
-/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 */
-/* 2010 by */
+/* Copyright 2000-2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -28,6 +27,8 @@
#include "psauxerr.h"
+/* ensure proper sign extension */
+#define Fix2Int( f ) ( (FT_Int)(FT_Short)( (f) >> 16 ) )
/*************************************************************************/
/* */
@@ -662,7 +663,7 @@
if ( large_int )
FT_TRACE4(( " %ld", value ));
else
- FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) ));
+ FT_TRACE4(( " %ld", Fix2Int( value ) ));
#endif
*top++ = value;
@@ -684,8 +685,8 @@
top -= 2;
- subr_no = (FT_Int)( top[1] >> 16 );
- arg_cnt = (FT_Int)( top[0] >> 16 );
+ subr_no = Fix2Int( top[1] );
+ arg_cnt = Fix2Int( top[0] );
/***********************************************************/
/* */
@@ -724,6 +725,24 @@
switch ( subr_no )
{
+ case 0: /* end flex feature */
+ if ( arg_cnt != 3 )
+ goto Unexpected_OtherSubr;
+
+ if ( decoder->flex_state == 0 ||
+ decoder->num_flex_vectors != 7 )
+ {
+ FT_ERROR(( "t1_decoder_parse_charstrings:"
+ " unexpected flex end\n" ));
+ goto Syntax_Error;
+ }
+
+ /* the two `results' are popped by the following setcurrentpoint */
+ top[0] = x;
+ top[1] = y;
+ known_othersubr_result_cnt = 2;
+ break;
+
case 1: /* start flex feature */
if ( arg_cnt != 0 )
goto Unexpected_OtherSubr;
@@ -757,24 +776,6 @@
}
break;
- case 0: /* end flex feature */
- if ( arg_cnt != 3 )
- goto Unexpected_OtherSubr;
-
- if ( decoder->flex_state == 0 ||
- decoder->num_flex_vectors != 7 )
- {
- FT_ERROR(( "t1_decoder_parse_charstrings:"
- " unexpected flex end\n" ));
- goto Syntax_Error;
- }
-
- /* the two `results' are popped by the following setcurrentpoint */
- top[0] = x;
- top[1] = y;
- known_othersubr_result_cnt = 2;
- break;
-
case 3: /* change hints */
if ( arg_cnt != 1 )
goto Unexpected_OtherSubr;
@@ -818,17 +819,18 @@
goto Syntax_Error;
}
- /* we want to compute: */
+ /* We want to compute */
/* */
- /* a0*w0 + a1*w1 + ... + ak*wk */
+ /* a0*w0 + a1*w1 + ... + ak*wk */
/* */
- /* but we only have the a0, a1-a0, a2-a0, .. ak-a0 */
- /* however, given that w0 + w1 + ... + wk == 1, we can */
- /* rewrite it easily as: */
+ /* but we only have a0, a1-a0, a2-a0, ..., ak-a0. */
/* */
- /* a0 + (a1-a0)*w1 + (a2-a0)*w2 + .. + (ak-a0)*wk */
+ /* However, given that w0 + w1 + ... + wk == 1, we can */
+ /* rewrite it easily as */
/* */
- /* where k == num_designs-1 */
+ /* a0 + (a1-a0)*w1 + (a2-a0)*w2 + ... + (ak-a0)*wk */
+ /* */
+ /* where k == num_designs-1. */
/* */
/* I guess that's why it's written in this `compact' */
/* form. */
@@ -862,7 +864,7 @@
if ( arg_cnt != 1 || blend == NULL )
goto Unexpected_OtherSubr;
- idx = (FT_Int)( top[0] >> 16 );
+ idx = Fix2Int( top[0] );
if ( idx < 0 ||
idx + blend->num_designs > decoder->len_buildchar )
@@ -930,7 +932,7 @@
if ( arg_cnt != 2 || blend == NULL )
goto Unexpected_OtherSubr;
- idx = (FT_Int)( top[1] >> 16 );
+ idx = Fix2Int( top[1] );
if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
goto Unexpected_OtherSubr;
@@ -951,7 +953,7 @@
if ( arg_cnt != 1 || blend == NULL )
goto Unexpected_OtherSubr;
- idx = (FT_Int)( top[0] >> 16 );
+ idx = Fix2Int( top[0] );
if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
goto Unexpected_OtherSubr;
@@ -1009,11 +1011,15 @@
break;
default:
- FT_ERROR(( "t1_decoder_parse_charstrings:"
- " unknown othersubr [%d %d], wish me luck\n",
- arg_cnt, subr_no ));
- unknown_othersubr_result_cnt = arg_cnt;
- break;
+ if ( arg_cnt >= 0 && subr_no >= 0 )
+ {
+ FT_ERROR(( "t1_decoder_parse_charstrings:"
+ " unknown othersubr [%d %d], wish me luck\n",
+ arg_cnt, subr_no ));
+ unknown_othersubr_result_cnt = arg_cnt;
+ break;
+ }
+ /* fall through */
Unexpected_OtherSubr:
FT_ERROR(( "t1_decoder_parse_charstrings:"
@@ -1139,8 +1145,8 @@
top[0],
top[1],
top[2],
- (FT_Int)( top[3] >> 16 ),
- (FT_Int)( top[4] >> 16 ) );
+ Fix2Int( top[3] ),
+ Fix2Int( top[4] ) );
case op_sbw:
FT_TRACE4(( " sbw" ));
@@ -1324,7 +1330,7 @@
FT_TRACE4(( " callsubr" ));
- idx = (FT_Int)( top[0] >> 16 );
+ idx = Fix2Int( top[0] );
if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs )
{
FT_ERROR(( "t1_decoder_parse_charstrings:"