... |
... |
@@ -163,7 +163,7 @@ |
163
|
163
|
FT_Memory memory = stream->memory;
|
164
|
164
|
FT_Error error;
|
165
|
165
|
|
166
|
|
- FT_Int num_glyphs;
|
|
166
|
+ FT_UShort num_glyphs;
|
167
|
167
|
FT_UShort num_names = 0;
|
168
|
168
|
|
169
|
169
|
FT_UShort* glyph_indices = NULL;
|
... |
... |
@@ -179,8 +179,8 @@ |
179
|
179
|
/* There already exist fonts which have more than 32768 glyph names */
|
180
|
180
|
/* in this table, so the test for this threshold has been dropped. */
|
181
|
181
|
|
182
|
|
- if ( num_glyphs > face->max_profile.numGlyphs ||
|
183
|
|
- (FT_ULong)num_glyphs * 2UL > post_len - 2 )
|
|
182
|
+ if ( num_glyphs > face->max_profile.numGlyphs ||
|
|
183
|
+ (FT_ULong)num_glyphs * 2 > post_len )
|
184
|
184
|
{
|
185
|
185
|
error = FT_THROW( Invalid_File_Format );
|
186
|
186
|
goto Exit;
|
... |
... |
@@ -188,12 +188,12 @@ |
188
|
188
|
|
189
|
189
|
/* load the indices and note their maximum */
|
190
|
190
|
{
|
191
|
|
- FT_Int n;
|
|
191
|
+ FT_UShort n;
|
192
|
192
|
FT_UShort idx;
|
193
|
193
|
|
194
|
194
|
|
195
|
195
|
if ( FT_QNEW_ARRAY( glyph_indices, num_glyphs ) ||
|
196
|
|
- FT_FRAME_ENTER( num_glyphs * 2L ) )
|
|
196
|
+ FT_FRAME_ENTER( num_glyphs * 2 ) )
|
197
|
197
|
goto Fail;
|
198
|
198
|
|
199
|
199
|
for ( n = 0; n < num_glyphs; n++ )
|
... |
... |
@@ -218,7 +218,7 @@ |
218
|
218
|
FT_Byte* strings;
|
219
|
219
|
|
220
|
220
|
|
221
|
|
- post_len -= (FT_ULong)num_glyphs * 2UL + 2;
|
|
221
|
+ post_len -= (FT_ULong)num_glyphs * 2;
|
222
|
222
|
|
223
|
223
|
if ( FT_QALLOC( name_strings, num_names * sizeof ( FT_Byte* ) +
|
224
|
224
|
post_len + 1 ) )
|
... |
... |
@@ -262,8 +262,8 @@ |
262
|
262
|
TT_Post_20 table = &face->postscript_names.names.format_20;
|
263
|
263
|
|
264
|
264
|
|
265
|
|
- table->num_glyphs = (FT_UShort)num_glyphs;
|
266
|
|
- table->num_names = (FT_UShort)num_names;
|
|
265
|
+ table->num_glyphs = num_glyphs;
|
|
266
|
+ table->num_names = num_names;
|
267
|
267
|
table->glyph_indices = glyph_indices;
|
268
|
268
|
table->glyph_names = name_strings;
|
269
|
269
|
}
|
... |
... |
@@ -286,39 +286,38 @@ |
286
|
286
|
FT_Memory memory = stream->memory;
|
287
|
287
|
FT_Error error;
|
288
|
288
|
|
289
|
|
- FT_Int num_glyphs;
|
|
289
|
+ FT_UShort num_glyphs;
|
290
|
290
|
FT_Char* offset_table = NULL;
|
291
|
291
|
|
292
|
|
- FT_UNUSED( post_len );
|
293
|
|
-
|
294
|
292
|
|
295
|
293
|
if ( FT_READ_USHORT( num_glyphs ) )
|
296
|
294
|
goto Exit;
|
297
|
295
|
|
298
|
|
- /* check the number of glyphs */
|
|
296
|
+ /* check the number of glyphs, including the theoretical limit */
|
299
|
297
|
if ( num_glyphs > face->max_profile.numGlyphs ||
|
300
|
|
- num_glyphs > 258 ||
|
301
|
|
- num_glyphs < 1 )
|
|
298
|
+ num_glyphs > post_len ||
|
|
299
|
+ num_glyphs > 257 + 128 )
|
302
|
300
|
{
|
303
|
301
|
error = FT_THROW( Invalid_File_Format );
|
304
|
302
|
goto Exit;
|
305
|
303
|
}
|
306
|
304
|
|
307
|
|
- if ( FT_QNEW_ARRAY( offset_table, num_glyphs ) ||
|
308
|
|
- FT_STREAM_READ( offset_table, num_glyphs ) )
|
309
|
|
- goto Fail;
|
310
|
|
-
|
311
|
|
- /* now check the offset table */
|
|
305
|
+ if ( num_glyphs )
|
312
|
306
|
{
|
313
|
|
- FT_Int n;
|
|
307
|
+ FT_UShort n;
|
|
308
|
+
|
314
|
309
|
|
|
310
|
+ if ( FT_QNEW_ARRAY( offset_table, num_glyphs ) ||
|
|
311
|
+ FT_STREAM_READ( offset_table, num_glyphs ) )
|
|
312
|
+ goto Fail;
|
315
|
313
|
|
|
314
|
+ /* now check the offset table for out-of-range values */
|
316
|
315
|
for ( n = 0; n < num_glyphs; n++ )
|
317
|
316
|
{
|
318
|
|
- FT_Long idx = (FT_Long)n + offset_table[n];
|
|
317
|
+ FT_Int idx = n + offset_table[n];
|
319
|
318
|
|
320
|
319
|
|
321
|
|
- if ( idx < 0 || idx > num_glyphs )
|
|
320
|
+ if ( idx < 0 || idx > 257 )
|
322
|
321
|
{
|
323
|
322
|
error = FT_THROW( Invalid_File_Format );
|
324
|
323
|
goto Fail;
|
... |
... |
@@ -331,7 +330,7 @@ |
331
|
330
|
TT_Post_25 table = &face->postscript_names.names.format_25;
|
332
|
331
|
|
333
|
332
|
|
334
|
|
- table->num_glyphs = (FT_UShort)num_glyphs;
|
|
333
|
+ table->num_glyphs = num_glyphs;
|
335
|
334
|
table->offsets = offset_table;
|
336
|
335
|
}
|
337
|
336
|
|
... |
... |
@@ -370,9 +369,9 @@ |
370
|
369
|
|
371
|
370
|
/* now read postscript table */
|
372
|
371
|
if ( format == 0x00020000L && post_len >= 34 )
|
373
|
|
- error = load_format_20( face, stream, post_len - 32 );
|
|
372
|
+ error = load_format_20( face, stream, post_len - 34 );
|
374
|
373
|
else if ( format == 0x00025000L && post_len >= 34 )
|
375
|
|
- error = load_format_25( face, stream, post_len - 32 );
|
|
374
|
+ error = load_format_25( face, stream, post_len - 34 );
|
376
|
375
|
else
|
377
|
376
|
error = FT_THROW( Invalid_File_Format );
|
378
|
377
|
|