123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101 |
- --- freetype-2.3.11/src/cff/cffgload.c.CVE-2010-1797-2 2009-09-10 17:52:21.000000000 +0200
- +++ freetype-2.3.11/src/cff/cffgload.c 2010-08-11 13:39:32.000000000 +0200
- @@ -2358,8 +2358,11 @@
- return CFF_Err_Unimplemented_Feature;
- }
-
- - decoder->top = args;
- + decoder->top = args;
-
- + if ( decoder->top - stack >= CFF_MAX_OPERANDS )
- + goto Stack_Overflow;
- +
- } /* general operator processing */
-
- } /* while ip < limit */
- @@ -2627,48 +2630,54 @@
- /* now load the unscaled outline */
- error = cff_get_glyph_data( face, glyph_index,
- &charstring, &charstring_len );
- - if ( !error )
- - {
- - error = cff_decoder_prepare( &decoder, size, glyph_index );
- - if ( !error )
- - {
- - error = cff_decoder_parse_charstrings( &decoder,
- - charstring,
- - charstring_len );
- + if ( error )
- + goto Glyph_Build_Finished;
- +
- + error = cff_decoder_prepare( &decoder, size, glyph_index );
- + if ( error )
- + goto Glyph_Build_Finished;
-
- - cff_free_glyph_data( face, &charstring, charstring_len );
- + error = cff_decoder_parse_charstrings( &decoder,
- + charstring,
- + charstring_len );
- +
- + cff_free_glyph_data( face, &charstring, charstring_len );
- +
- + if ( error )
- + goto Glyph_Build_Finished;
-
-
- #ifdef FT_CONFIG_OPTION_INCREMENTAL
- - /* Control data and length may not be available for incremental */
- - /* fonts. */
- - if ( face->root.internal->incremental_interface )
- - {
- - glyph->root.control_data = 0;
- - glyph->root.control_len = 0;
- - }
- - else
- + /* Control data and length may not be available for incremental */
- + /* fonts. */
- + if ( face->root.internal->incremental_interface )
- + {
- + glyph->root.control_data = 0;
- + glyph->root.control_len = 0;
- + }
- + else
- #endif /* FT_CONFIG_OPTION_INCREMENTAL */
-
- - /* We set control_data and control_len if charstrings is loaded. */
- - /* See how charstring loads at cff_index_access_element() in */
- - /* cffload.c. */
- - {
- - CFF_Index csindex = &cff->charstrings_index;
- + /* We set control_data and control_len if charstrings is loaded. */
- + /* See how charstring loads at cff_index_access_element() in */
- + /* cffload.c. */
- + {
- + CFF_Index csindex = &cff->charstrings_index;
-
-
- - if ( csindex->offsets )
- - {
- - glyph->root.control_data = csindex->bytes +
- - csindex->offsets[glyph_index] - 1;
- - glyph->root.control_len = charstring_len;
- - }
- - }
- + if ( csindex->offsets )
- + {
- + glyph->root.control_data = csindex->bytes +
- + csindex->offsets[glyph_index] - 1;
- + glyph->root.control_len = charstring_len;
- }
- }
-
- - /* save new glyph tables */
- - cff_builder_done( &decoder.builder );
- + Glyph_Build_Finished:
- + /* save new glyph tables, if no error */
- + if ( !error )
- + cff_builder_done( &decoder.builder );
- + /* XXX: anything to do for broken glyph entry? */
- }
-
- #ifdef FT_CONFIG_OPTION_INCREMENTAL
|