diff options
| author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2010-07-17 14:06:44 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2010-07-17 14:06:44 +0000 |
| commit | 1e13f6363033b2eb116ee6542e0de7c13407f78a (patch) | |
| tree | 5a3f4a90a2fcbe7f9d674d333f056cd6a85bcaf7 | |
| parent | f92a5633e3951b914ac756372731fc3b9a7e7bce (diff) | |
patches from Freetype.org for the security issues found by Robert Swiecki:
CVE-2010-2497 freetype integer underflow
CVE-2010-2498 freetype invalid free
CVE-2010-2499 freetype buffer overflow
CVE-2010-2500 freetype integer overflow
CVE-2010-2519 freetype heap buffer overflow
CVE-2010-2520 freetype buffer overflow on heap
| -rw-r--r-- | lib/freetype/include/freetype/config/ftoption.h | 21 | ||||
| -rw-r--r-- | lib/freetype/include/freetype/fterrdef.h | 18 | ||||
| -rw-r--r-- | lib/freetype/src/autofit/afglobal.c | 9 | ||||
| -rw-r--r-- | lib/freetype/src/base/ftobjs.c | 79 | ||||
| -rw-r--r-- | lib/freetype/src/bdf/bdflib.c | 29 | ||||
| -rw-r--r-- | lib/freetype/src/cache/ftccmap.c | 24 | ||||
| -rw-r--r-- | lib/freetype/src/cff/cffgload.c | 2 | ||||
| -rw-r--r-- | lib/freetype/src/cff/cffobjs.c | 19 | ||||
| -rw-r--r-- | lib/freetype/src/cff/cffparse.c | 7 | ||||
| -rw-r--r-- | lib/freetype/src/pcf/pcfread.c | 6 | ||||
| -rw-r--r-- | lib/freetype/src/pfr/pfrgload.c | 24 | ||||
| -rw-r--r-- | lib/freetype/src/pfr/pfrobjs.c | 13 | ||||
| -rw-r--r-- | lib/freetype/src/psaux/psobjs.c | 7 | ||||
| -rw-r--r-- | lib/freetype/src/pshinter/pshalgo.c | 12 | ||||
| -rw-r--r-- | lib/freetype/src/sfnt/ttcmap.c | 15 | ||||
| -rw-r--r-- | lib/freetype/src/sfnt/ttload.c | 12 | ||||
| -rw-r--r-- | lib/freetype/src/smooth/ftgrays.c | 37 | ||||
| -rw-r--r-- | lib/freetype/src/smooth/ftsmooth.c | 4 | ||||
| -rw-r--r-- | lib/freetype/src/truetype/ttinterp.c | 4 |
19 files changed, 267 insertions, 75 deletions
diff --git a/lib/freetype/include/freetype/config/ftoption.h b/lib/freetype/include/freetype/config/ftoption.h index 5fac8672b..5d01c7a91 100644 --- a/lib/freetype/include/freetype/config/ftoption.h +++ b/lib/freetype/include/freetype/config/ftoption.h @@ -691,6 +691,27 @@ FT_BEGIN_HEADER /* + * To detect legacy cache-lookup call from a rogue client (<= 2.1.7), + * we restrict the number of charmaps in a font. The current API of + * FTC_CMapCache_Lookup() takes cmap_index & charcode, but old API + * takes charcode only. To determine the passed value is for cmap_index + * or charcode, the possible cmap_index is restricted not to exceed + * the minimum possible charcode by a rogue client. It is also very + * unlikely that a rogue client is interested in Unicode values 0 to 15. + * + * NOTE: The original threshold was 4 deduced from popular number of + * cmap subtables in UCS-4 TrueType fonts, but now it is not + * irregular for OpenType fonts to have more than 4 subtables, + * because variation selector subtables are available for Apple + * and Microsoft platforms. + */ + +#ifdef FT_CONFIG_OPTION_OLD_INTERNALS +#define FT_MAX_CHARMAP_CACHEABLE 15 +#endif + + + /* * This macro is defined if either unpatented or native TrueType * hinting is requested by the definitions above. */ diff --git a/lib/freetype/include/freetype/fterrdef.h b/lib/freetype/include/freetype/fterrdef.h index ab8c3f7d9..ceda1a9c2 100644 --- a/lib/freetype/include/freetype/fterrdef.h +++ b/lib/freetype/include/freetype/fterrdef.h @@ -4,7 +4,7 @@ /* */ /* FreeType error codes (specification). */ /* */ -/* Copyright 2002, 2004, 2006 by */ +/* Copyright 2002, 2004, 2006, 2007, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -220,16 +220,22 @@ "`FONT' field missing" ) FT_ERRORDEF_( Missing_Size_Field, 0xB2, \ "`SIZE' field missing" ) - FT_ERRORDEF_( Missing_Chars_Field, 0xB3, \ + FT_ERRORDEF_( Missing_Fontboundingbox_Field, 0xB3, \ + "`FONTBOUNDINGBOX' field missing" ) + FT_ERRORDEF_( Missing_Chars_Field, 0xB4, \ "`CHARS' field missing" ) - FT_ERRORDEF_( Missing_Startchar_Field, 0xB4, \ + FT_ERRORDEF_( Missing_Startchar_Field, 0xB5, \ "`STARTCHAR' field missing" ) - FT_ERRORDEF_( Missing_Encoding_Field, 0xB5, \ + FT_ERRORDEF_( Missing_Encoding_Field, 0xB6, \ "`ENCODING' field missing" ) - FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ + FT_ERRORDEF_( Missing_Bbx_Field, 0xB7, \ "`BBX' field missing" ) - FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + FT_ERRORDEF_( Bbx_Too_Big, 0xB8, \ "`BBX' too big" ) + FT_ERRORDEF_( Corrupted_Font_Header, 0xB9, \ + "Font header corrupted or missing fields" ) + FT_ERRORDEF_( Corrupted_Font_Glyphs, 0xBA, \ + "Font glyphs corrupted or missing fields" ) /* END */ diff --git a/lib/freetype/src/autofit/afglobal.c b/lib/freetype/src/autofit/afglobal.c index ac293619d..afe0dac82 100644 --- a/lib/freetype/src/autofit/afglobal.c +++ b/lib/freetype/src/autofit/afglobal.c @@ -4,7 +4,7 @@ /* */ /* Auto-fitter routines to compute global hinting values (body). */ /* */ -/* Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -167,8 +167,11 @@ for ( nn = 0; nn < globals->glyph_count; nn++ ) { - if ( gscripts[nn] == AF_SCRIPT_LIST_NONE ) - gscripts[nn] = AF_SCRIPT_LIST_DEFAULT; + if ( ( gscripts[nn] & ~AF_DIGIT ) == AF_SCRIPT_LIST_NONE ) + { + gscripts[nn] &= ~AF_SCRIPT_LIST_NONE; + gscripts[nn] |= AF_SCRIPT_LIST_DEFAULT; + } } } diff --git a/lib/freetype/src/base/ftobjs.c b/lib/freetype/src/base/ftobjs.c index 46bcd3bb8..28cd4fce3 100644 --- a/lib/freetype/src/base/ftobjs.c +++ b/lib/freetype/src/base/ftobjs.c @@ -992,6 +992,14 @@ ( cur[0]->platform_id == TT_PLATFORM_APPLE_UNICODE && cur[0]->encoding_id == TT_APPLE_ID_UNICODE_32 ) ) { +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( cur - first > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "find_unicode_charmap: UCS-4 cmap is found " + "at too late position (%d)\n", cur - first )); + continue; + } +#endif face->charmap = cur[0]; return FT_Err_Ok; } @@ -1006,6 +1014,14 @@ { if ( cur[0]->encoding == FT_ENCODING_UNICODE ) { +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( cur - first > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "find_unicode_charmap: UCS-2 cmap is found " + "at too late position (%d)\n", cur - first )); + continue; + } +#endif face->charmap = cur[0]; return FT_Err_Ok; } @@ -1047,6 +1063,14 @@ if ( cur[0]->platform_id == TT_PLATFORM_APPLE_UNICODE && cur[0]->encoding_id == TT_APPLE_ID_VARIANT_SELECTOR && FT_Get_CMap_Format( cur[0] ) == 14 ) +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( cur - first > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "find_unicode_charmap: UVS cmap is found " + "at too late position (%d)\n", cur - first )); + continue; + } +#endif return cur[0]; } @@ -1548,11 +1572,25 @@ goto Exit; if ( FT_READ_USHORT( flags ) ) goto Exit; - rlen -= 2; /* the flags are part of the resource */ + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + + if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + continue; + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ + if ( rlen > 2 ) + rlen -= 2; + else + rlen = 0; + if ( ( flags >> 8 ) == type ) len += rlen; else { + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); @@ -1561,6 +1599,8 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; type = flags >> 8; @@ -1575,12 +1615,18 @@ } error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; pfb_pos += rlen; } + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; pfb_data[pfb_pos++] = 3; + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); @@ -2901,6 +2947,15 @@ { if ( cur[0]->encoding == encoding ) { +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( cur - face->charmaps > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "FT_Select_Charmap: requested charmap is found (%d), " + "but in too late position to cache\n", + cur - face->charmaps )); + continue; + } +#endif face->charmap = cur[0]; return 0; } @@ -2935,6 +2990,15 @@ { if ( cur[0] == charmap ) { +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( cur - face->charmaps > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "FT_Set_Charmap: requested charmap is found (%d), " + "but in too late position to cache\n", + cur - face->charmaps )); + continue; + } +#endif face->charmap = cur[0]; return 0; } @@ -2957,6 +3021,15 @@ FT_ASSERT( i < charmap->face->num_charmaps ); +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( i > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "FT_Get_Charmap_Index: requested charmap is found (%d), " + "but in too late position to cache\n", + i )); + return -i; + } +#endif return i; } @@ -3109,7 +3182,7 @@ FT_UInt gindex = 0; - if ( face && face->charmap ) + if ( face && face->charmap && face->num_glyphs ) { gindex = FT_Get_Char_Index( face, 0 ); if ( gindex == 0 ) @@ -3134,7 +3207,7 @@ FT_UInt gindex = 0; - if ( face && face->charmap ) + if ( face && face->charmap && face->num_glyphs ) { FT_UInt32 code = (FT_UInt32)charcode; FT_CMap cmap = FT_CMAP( face->charmap ); diff --git a/lib/freetype/src/bdf/bdflib.c b/lib/freetype/src/bdf/bdflib.c index 5fa5868c7..6a5b4a909 100644 --- a/lib/freetype/src/bdf/bdflib.c +++ b/lib/freetype/src/bdf/bdflib.c @@ -1,6 +1,6 @@ /* * Copyright 2000 Computing Research Labs, New Mexico State University - * Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2009 + * Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2009, 2010 * Francesco Zappa Nardelli * * Permission is hereby granted, free of charge, to any person obtaining a @@ -470,6 +470,11 @@ } + /* An empty string for empty fields. */ + + static const char empty[1] = { 0 }; /* XXX eliminate this */ + + static char * _bdf_list_join( _bdf_list_t* list, int c, @@ -494,18 +499,14 @@ if ( i + 1 < list->used ) dp[j++] = (char)c; } - dp[j] = 0; + if ( dp != empty ) + dp[j] = 0; *alen = j; return dp; } - /* An empty string for empty fields. */ - - static const char empty[1] = { 0 }; /* XXX eliminate this */ - - static FT_Error _bdf_list_split( _bdf_list_t* list, char* separators, @@ -1867,6 +1868,9 @@ error = BDF_Err_Invalid_File_Format; Exit: + if ( error && ( p->flags & _BDF_GLYPH ) ) + FT_FREE( p->glyph_name ); + return error; } @@ -2077,6 +2081,14 @@ /* Check for the start of the properties. */ if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 ) { + if ( !(p->flags & _BDF_FONT_BBX ) ) + { + /* Missing the FONTBOUNDINGBOX field. */ + FT_ERROR(( "_bdf_parse_start: " ERRMSG1, lineno, "FONTBOUNDINGBOX" )); + error = BDF_Err_Missing_Fontboundingbox_Field; + goto Exit; + } + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; @@ -2139,6 +2151,9 @@ goto Exit; } + /* Allowing multiple `FONT' lines (which is invalid) doesn't hurt... */ + FT_FREE( p->font->name ); + if ( FT_NEW_ARRAY( p->font->name, slen + 1 ) ) goto Exit; FT_MEM_COPY( p->font->name, s, slen + 1 ); diff --git a/lib/freetype/src/cache/ftccmap.c b/lib/freetype/src/cache/ftccmap.c index a802b0557..e0d3e2435 100644 --- a/lib/freetype/src/cache/ftccmap.c +++ b/lib/freetype/src/cache/ftccmap.c @@ -310,19 +310,11 @@ #ifdef FT_CONFIG_OPTION_OLD_INTERNALS /* - * Detect a call from a rogue client that thinks it is linking - * to FreeType 2.1.7. This is possible because the third parameter - * is then a character code, and we have never seen any font with - * more than a few charmaps, so if the index is very large... - * - * It is also very unlikely that a rogue client is interested - * in Unicode values 0 to 15. - * - * NOTE: The original threshold was 4, but we found a font from the - * Adobe Acrobat Reader Pack, named `KozMinProVI-Regular.otf', - * which contains more than 5 charmaps. + * If cmap_index is greater than the maximum number of cachable + * charmaps, we assume the request is from a legacy rogue client + * using old internal header. See include/config/ftoption.h. */ - if ( cmap_index >= 16 && !no_cmap_change ) + if ( cmap_index > FT_MAX_CHARMAP_CACHEABLE && !no_cmap_change ) { FTC_OldCMapDesc desc = (FTC_OldCMapDesc) face_id; @@ -384,7 +376,7 @@ /* something rotten can happen with rogue clients */ if ( (FT_UInt)( char_code - FTC_CMAP_NODE( node )->first >= FTC_CMAP_INDICES_MAX ) ) - return 0; + return 0; /* XXX: should return appropriate error */ gindex = FTC_CMAP_NODE( node )->indices[char_code - FTC_CMAP_NODE( node )->first]; @@ -401,6 +393,12 @@ if ( error ) goto Exit; +#ifdef FT_MAX_CHARMAP_CACHEABLE + /* something rotten can happen with rogue clients */ + if ( cmap_index > FT_MAX_CHARMAP_CACHEABLE ) + return 0; /* XXX: should return appropriate error */ +#endif + if ( (FT_UInt)cmap_index < (FT_UInt)face->num_charmaps ) { FT_CharMap old, cmap = NULL; diff --git a/lib/freetype/src/cff/cffgload.c b/lib/freetype/src/cff/cffgload.c index 9330c0588..fa7b36d52 100644 --- a/lib/freetype/src/cff/cffgload.c +++ b/lib/freetype/src/cff/cffgload.c @@ -2276,6 +2276,8 @@ /* this is the implementation described for `unknown' other */ /* subroutines in the Type1 spec. */ args -= 2 + ( args[-2] >> 16 ); + if ( args < stack ) + goto Stack_Underflow; break; case cff_op_pop: diff --git a/lib/freetype/src/cff/cffobjs.c b/lib/freetype/src/cff/cffobjs.c index bd56c4ba1..55f70724b 100644 --- a/lib/freetype/src/cff/cffobjs.c +++ b/lib/freetype/src/cff/cffobjs.c @@ -863,6 +863,16 @@ if ( pure_cff && cff->top_font.font_dict.cid_registry != 0xFFFFU ) goto Exit; +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( nn + 1 > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "cff_face_init: no Unicode cmap is found, " + "and too many subtables (%d) to add synthesized cmap\n", + nn )); + goto Exit; + } +#endif + /* we didn't find a Unicode charmap -- synthesize one */ cmaprec.face = cffface; cmaprec.platform_id = 3; @@ -878,6 +888,15 @@ cffface->charmap = cffface->charmaps[nn]; Skip_Unicode: +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( nn > FT_MAX_CHARMAP_CACHEABLE ) + { + FT_ERROR(( "cff_face_init: Unicode cmap is found, " + "but too many preceding subtables (%d) to access\n", + nn - 1 )); + goto Exit; + } +#endif if ( encoding->count > 0 ) { FT_CMap_Class clazz; diff --git a/lib/freetype/src/cff/cffparse.c b/lib/freetype/src/cff/cffparse.c index 01266a193..a44742b94 100644 --- a/lib/freetype/src/cff/cffparse.c +++ b/lib/freetype/src/cff/cffparse.c @@ -337,6 +337,13 @@ fraction_length += integer_length; } + /* this can only happen if exponent was non-zero */ + if ( fraction_length == 10 ) + { + number /= 10; + fraction_length -= 1; + } + /* Convert into 16.16 format. */ if ( fraction_length > 0 ) { diff --git a/lib/freetype/src/pcf/pcfread.c b/lib/freetype/src/pcf/pcfread.c index 08becf99c..f7326238c 100644 --- a/lib/freetype/src/pcf/pcfread.c +++ b/lib/freetype/src/pcf/pcfread.c @@ -2,7 +2,8 @@ FreeType font driver for pcf fonts - Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by + Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, + 2010 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -607,6 +608,9 @@ THE SOFTWARE. face->nmetrics = nmetrics; + if ( !nmetrics ) + return PCF_Err_Invalid_Table; + FT_TRACE4(( "pcf_get_metrics:\n" )); FT_TRACE4(( " number of metrics: %d\n", nmetrics )); diff --git a/lib/freetype/src/pfr/pfrgload.c b/lib/freetype/src/pfr/pfrgload.c index 6fe6e4225..5ba7163e0 100644 --- a/lib/freetype/src/pfr/pfrgload.c +++ b/lib/freetype/src/pfr/pfrgload.c @@ -4,7 +4,7 @@ /* */ /* FreeType PFR glyph loader (body). */ /* */ -/* Copyright 2002, 2003, 2005, 2007 by */ +/* Copyright 2002, 2003, 2005, 2007, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -268,8 +268,8 @@ { PFR_CHECK( 1 ); count = PFR_NEXT_BYTE( p ); - x_count = ( count & 15 ); - y_count = ( count >> 4 ); + x_count = count & 15; + y_count = count >> 4; } else { @@ -388,7 +388,7 @@ case 2: /* horizontal line to */ FT_TRACE6(( "- horizontal line to cx.%d", format_low )); - if ( format_low > x_count ) + if ( format_low >= x_count ) goto Failure; pos[0].x = glyph->x_control[format_low]; pos[0].y = pos[3].y; @@ -398,7 +398,7 @@ case 3: /* vertical line to */ FT_TRACE6(( "- vertical line to cy.%d", format_low )); - if ( format_low > y_count ) + if ( format_low >= y_count ) goto Failure; pos[0].x = pos[3].x; pos[0].y = glyph->y_control[format_low]; @@ -440,7 +440,7 @@ case 0: /* 8-bit index */ PFR_CHECK( 1 ); idx = PFR_NEXT_BYTE( p ); - if ( idx > x_count ) + if ( idx >= x_count ) goto Failure; cur->x = glyph->x_control[idx]; FT_TRACE7(( " cx#%d", idx )); @@ -470,7 +470,7 @@ case 0: /* 8-bit index */ PFR_CHECK( 1 ); idx = PFR_NEXT_BYTE( p ); - if ( idx > y_count ) + if ( idx >= y_count ) goto Failure; cur->y = glyph->y_control[idx]; FT_TRACE7(( " cy#%d", idx )); @@ -598,6 +598,16 @@ FT_UInt new_max = ( org_count + count + 3 ) & (FT_UInt)-4; + /* we arbitrarily limit the number of subglyphs */ + /* to avoid endless recursion */ + if ( new_max > 64 ) + { + error = PFR_Err_Invalid_Table; + FT_ERROR(( "pfr_glyph_load_compound:" + " too many compound glyphs components\n" )); + goto Exit; + } + if ( FT_RENEW_ARRAY( glyph->subs, glyph->max_subs, new_max ) ) goto Exit; diff --git a/lib/freetype/src/pfr/pfrobjs.c b/lib/freetype/src/pfr/pfrobjs.c index 56d617d88..40b1463ec 100644 --- a/lib/freetype/src/pfr/pfrobjs.c +++ b/lib/freetype/src/pfr/pfrobjs.c @@ -4,7 +4,7 @@ /* */ /* FreeType PFR object methods (body). */ /* */ -/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008 by */ +/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -147,7 +147,16 @@ break; if ( nn == phy_font->num_chars ) - pfrface->face_flags = 0; /* not scalable */ + { + if ( phy_font->num_strikes > 0 ) + pfrface->face_flags = 0; /* not scalable */ + else + { + FT_ERROR(( "pfr_face_init: font doesn't contain glyphs\n" )); + error = PFR_Err_Invalid_File_Format; + goto Exit; + } + } } if ( (phy_font->flags & PFR_PHY_PROPORTIONAL) == 0 ) diff --git a/lib/freetype/src/psaux/psobjs.c b/lib/freetype/src/psaux/psobjs.c index fe8398ae3..5e8db6e71 100644 --- a/lib/freetype/src/psaux/psobjs.c +++ b/lib/freetype/src/psaux/psobjs.c @@ -1588,6 +1588,13 @@ FT_Error error; + /* this might happen in invalid fonts */ + if ( !outline ) + { + FT_ERROR(( "t1_builder_add_contour: no outline to add points to\n" )); + return PSaux_Err_Invalid_File_Format; + } + if ( !builder->load_points ) { outline->n_contours++; diff --git a/lib/freetype/src/pshinter/pshalgo.c b/lib/freetype/src/pshinter/pshalgo.c index 417dcee54..4b0878594 100644 --- a/lib/freetype/src/pshinter/pshalgo.c +++ b/lib/freetype/src/pshinter/pshalgo.c @@ -4,7 +4,8 @@ /* */ /* PostScript hinting algorithm (body). */ /* */ -/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 */ +/* by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used */ @@ -1690,7 +1691,10 @@ /* process secondary hints to `selected' points */ if ( num_masks > 1 && glyph->num_points > 0 ) { - first = mask->end_point; + /* the `endchar' op can reduce the number of points */ + first = mask->end_point > glyph->num_points + ? glyph->num_points + : mask->end_point; mask++; for ( ; num_masks > 1; num_masks--, mask++ ) { @@ -1698,7 +1702,9 @@ FT_Int count; - next = mask->end_point; + next = mask->end_point > glyph->num_points + ? glyph->num_points + : mask->end_point; count = next - first; if ( count > 0 ) { diff --git a/lib/freetype/src/sfnt/ttcmap.c b/lib/freetype/src/sfnt/ttcmap.c index b283f6d16..8118980a7 100644 --- a/lib/freetype/src/sfnt/ttcmap.c +++ b/lib/freetype/src/sfnt/ttcmap.c @@ -4,7 +4,7 @@ /* */ /* TrueType character mapping table (cmap) support (body). */ /* */ -/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -3391,11 +3391,12 @@ FT_Byte* limit = table + face->cmap_size; FT_UInt volatile num_cmaps; FT_Byte* volatile p = table; - FT_Library library = FT_FACE_LIBRARY(face); - FT_UNUSED(library); + FT_Library library = FT_FACE_LIBRARY( face ); + FT_UNUSED( library ); - if ( p + 4 > limit ) + + if ( !p || p + 4 > limit ) return SFNT_Err_Invalid_Table; /* only recognize format 0 */ @@ -3409,6 +3410,12 @@ } num_cmaps = TT_NEXT_USHORT( p ); +#ifdef FT_MAX_CHARMAP_CACHEABLE + if ( num_cmaps > FT_MAX_CHARMAP_CACHEABLE ) + FT_ERROR(( "tt_face_build_cmaps: too many cmap subtables(%d) " + "subtable#%d and later are loaded but cannot be searched\n", + num_cmaps, FT_MAX_CHARMAP_CACHEABLE + 1 )); +#endif for ( ; num_cmaps > 0 && p + 8 <= limit; num_cmaps-- ) { diff --git a/lib/freetype/src/sfnt/ttload.c b/lib/freetype/src/sfnt/ttload.c index 3ad33bd6d..1dee019d9 100644 --- a/lib/freetype/src/sfnt/ttload.c +++ b/lib/freetype/src/sfnt/ttload.c @@ -5,7 +5,8 @@ /* Load the basic TrueType tables, i.e., tables that can be either in */ /* TTF or OTF fonts (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */ +/* 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -693,6 +694,15 @@ maxProfile->maxTwilightPoints = 0xFFFFU - 4; } + + /* we arbitrarily limit recursion to avoid stack exhaustion */ + if ( maxProfile->maxComponentDepth > 100 ) + { + FT_TRACE0(( "tt_face_load_maxp:" + " abnormally large component depth (%d) set to 100\n", + maxProfile->maxComponentDepth )); + maxProfile->maxComponentDepth = 100; + } } FT_TRACE3(( "numGlyphs: %u\n", maxProfile->numGlyphs )); diff --git a/lib/freetype/src/smooth/ftgrays.c b/lib/freetype/src/smooth/ftgrays.c index 846e454e6..b04f0d52d 100644 --- a/lib/freetype/src/smooth/ftgrays.c +++ b/lib/freetype/src/smooth/ftgrays.c @@ -1007,45 +1007,40 @@ const FT_Vector* control2, const FT_Vector* to ) { - TPos dx, dy, da, db; + TPos dx, dy; + TPos mid_x, mid_y; int top, level; int* levels; FT_Vector* arc; - dx = DOWNSCALE( ras.x ) + to->x - ( control1->x << 1 ); - if ( dx < 0 ) - dx = -dx; - dy = DOWNSCALE( ras.y ) + to->y - ( control1->y << 1 ); - if ( dy < 0 ) - dy = -dy; - if ( dx < dy ) - dx = dy; - da = dx; + /* Calculate midpoint and compare it with start and end. */ + mid_x = ( DOWNSCALE( ras.x ) + to->x + + 3 * ( control1->x + control2->x ) ) / 8; + mid_y = ( DOWNSCALE( ras.y ) + to->y + + 3 * ( control1->y + control2->y ) ) / 8; - dx = DOWNSCALE( ras.x ) + to->x - 3 * ( control1->x + control2->x ); + dx = DOWNSCALE( ras.x ) + to->x - ( mid_x << 1 ); if ( dx < 0 ) dx = -dx; - dy = DOWNSCALE( ras.y ) + to->y - 3 * ( control1->x + control2->y ); + dy = DOWNSCALE( ras.y ) + to->y - ( mid_y << 1 ); if ( dy < 0 ) dy = -dy; if ( dx < dy ) dx = dy; - db = dx; + /* Check whether an approximation with straight lines is sufficient. */ level = 1; - da = da / ras.cubic_level; - db = db / ras.conic_level; - while ( da > 0 || db > 0 ) + dx = dx / ras.conic_level; + while ( dx > 0 ) { - da >>= 2; - db >>= 3; + dx >>= 3; level++; } if ( level <= 1 ) { - TPos to_x, to_y, mid_x, mid_y; + TPos to_x, to_y; to_x = UPSCALE( to->x ); @@ -1104,7 +1099,7 @@ Draw: { - TPos to_x, to_y, mid_x, mid_y; + TPos to_x, to_y; to_x = arc[0].x; @@ -1189,7 +1184,7 @@ /* first of all, compute the scanline offset */ p = (unsigned char*)map->buffer - y * map->pitch; if ( map->pitch >= 0 ) - p += ( map->rows - 1 ) * map->pitch; + p += (unsigned)( ( map->rows - 1 ) * map->pitch ); for ( ; count > 0; count--, spans++ ) { diff --git a/lib/freetype/src/smooth/ftsmooth.c b/lib/freetype/src/smooth/ftsmooth.c index 3da1c9407..29ca84dcc 100644 --- a/lib/freetype/src/smooth/ftsmooth.c +++ b/lib/freetype/src/smooth/ftsmooth.c @@ -4,7 +4,7 @@ /* */ /* Anti-aliasing renderer interface (body). */ /* */ -/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */ +/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -207,7 +207,7 @@ /* Required check is ( pitch * height < FT_ULONG_MAX ), */ /* but we care realistic cases only. Always pitch <= width. */ - if ( width > 0xFFFFU || height > 0xFFFFU ) + if ( width > 0x7FFFU || height > 0x7FFFU ) { FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", width, height )); diff --git a/lib/freetype/src/truetype/ttinterp.c b/lib/freetype/src/truetype/ttinterp.c index 13aa9a27c..46d5aac2b 100644 --- a/lib/freetype/src/truetype/ttinterp.c +++ b/lib/freetype/src/truetype/ttinterp.c @@ -6466,8 +6466,8 @@ end_point = CUR.pts.contours[contour] - CUR.pts.first_point; first_point = point; - if ( CUR.pts.n_points <= end_point ) - end_point = CUR.pts.n_points; + if ( BOUNDS ( end_point, CUR.pts.n_points ) ) + end_point = CUR.pts.n_points - 1; while ( point <= end_point && ( CUR.pts.tags[point] & mask ) == 0 ) point++; |