Alexei Podtelezhnikov pushed to branch master at FreeType / FreeType
Commits:
-
1029eb93
by Alexei Podtelezhnikov at 2021-10-11T22:25:14-04:00
-
e294a95c
by Alexei Podtelezhnikov at 2021-10-11T23:25:29-04:00
2 changed files:
Changes:
... | ... | @@ -244,12 +244,17 @@ |
244 | 244 |
FT_Memory memory = face->root.memory;
|
245 | 245 |
FT_Stream stream = parser->stream;
|
246 | 246 |
FT_Error error = FT_Err_Ok;
|
247 |
- FT_UInt num_dicts, max_dicts;
|
|
247 |
+ FT_Long num_dicts, max_dicts;
|
|
248 | 248 |
|
249 | 249 |
|
250 |
- num_dicts = (FT_UInt)cid_parser_to_int( parser );
|
|
250 |
+ num_dicts = cid_parser_to_int( parser );
|
|
251 |
+ if ( num_dicts < 0 || num_dicts > FT_INT_MAX )
|
|
252 |
+ {
|
|
253 |
+ FT_ERROR(( "parse_fd_array: invalid number of dictionaries\n" ));
|
|
254 |
+ goto Exit;
|
|
255 |
+ }
|
|
251 | 256 |
|
252 |
- FT_TRACE4(( " %u\n", num_dicts ));
|
|
257 |
+ FT_TRACE4(( " %ld\n", num_dicts ));
|
|
253 | 258 |
|
254 | 259 |
/*
|
255 | 260 |
* A single entry in the FDArray must (at least) contain the following
|
... | ... | @@ -267,11 +272,11 @@ |
267 | 272 |
* need a `dup X' at the very beginning and a `put' at the end, so a
|
268 | 273 |
* rough guess using 100 bytes as the minimum is justified.
|
269 | 274 |
*/
|
270 |
- max_dicts = (FT_UInt)( stream->size / 100 );
|
|
275 |
+ max_dicts = (FT_Long)( stream->size / 100 );
|
|
271 | 276 |
if ( num_dicts > max_dicts )
|
272 | 277 |
{
|
273 | 278 |
FT_TRACE0(( "parse_fd_array: adjusting FDArray size"
|
274 |
- " (from %u to %u)\n",
|
|
279 |
+ " (from %ld to %ld)\n",
|
|
275 | 280 |
num_dicts, max_dicts ));
|
276 | 281 |
num_dicts = max_dicts;
|
277 | 282 |
}
|
... | ... | @@ -1336,7 +1336,7 @@ |
1336 | 1336 |
|
1337 | 1337 |
static int
|
1338 | 1338 |
read_binary_data( T1_Parser parser,
|
1339 |
- FT_ULong* size,
|
|
1339 |
+ FT_Long* size,
|
|
1340 | 1340 |
FT_Byte** base,
|
1341 | 1341 |
FT_Bool incremental )
|
1342 | 1342 |
{
|
... | ... | @@ -1356,7 +1356,7 @@ |
1356 | 1356 |
|
1357 | 1357 |
if ( cur < limit && ft_isdigit( *cur ) )
|
1358 | 1358 |
{
|
1359 |
- FT_ULong s = (FT_ULong)T1_ToInt( parser );
|
|
1359 |
+ FT_Long s = T1_ToInt( parser );
|
|
1360 | 1360 |
|
1361 | 1361 |
|
1362 | 1362 |
T1_Skip_PS_Token( parser ); /* `RD' or `-|' or something else */
|
... | ... | @@ -1365,7 +1365,7 @@ |
1365 | 1365 |
/* `RD' or `-|' token */
|
1366 | 1366 |
*base = parser->root.cursor + 1;
|
1367 | 1367 |
|
1368 |
- if ( s < (FT_ULong)( limit - *base ) )
|
|
1368 |
+ if ( s >= 0 && s < limit - *base )
|
|
1369 | 1369 |
{
|
1370 | 1370 |
parser->root.cursor += s + 1;
|
1371 | 1371 |
*size = s;
|
... | ... | @@ -1793,7 +1793,7 @@ |
1793 | 1793 |
for ( count = 0; ; count++ )
|
1794 | 1794 |
{
|
1795 | 1795 |
FT_Long idx;
|
1796 |
- FT_ULong size;
|
|
1796 |
+ FT_Long size;
|
|
1797 | 1797 |
FT_Byte* base;
|
1798 | 1798 |
|
1799 | 1799 |
|
... | ... | @@ -1851,7 +1851,7 @@ |
1851 | 1851 |
/* some fonts define empty subr records -- this is not totally */
|
1852 | 1852 |
/* compliant to the specification (which says they should at */
|
1853 | 1853 |
/* least contain a `return'), but we support them anyway */
|
1854 |
- if ( size < (FT_ULong)face->type1.private_dict.lenIV )
|
|
1854 |
+ if ( size < face->type1.private_dict.lenIV )
|
|
1855 | 1855 |
{
|
1856 | 1856 |
error = FT_THROW( Invalid_File_Format );
|
1857 | 1857 |
goto Fail;
|
... | ... | @@ -1862,7 +1862,7 @@ |
1862 | 1862 |
goto Fail;
|
1863 | 1863 |
FT_MEM_COPY( temp, base, size );
|
1864 | 1864 |
psaux->t1_decrypt( temp, size, 4330 );
|
1865 |
- size -= (FT_ULong)face->type1.private_dict.lenIV;
|
|
1865 |
+ size -= face->type1.private_dict.lenIV;
|
|
1866 | 1866 |
error = T1_Add_Table( table, (FT_Int)idx,
|
1867 | 1867 |
temp + face->type1.private_dict.lenIV, size );
|
1868 | 1868 |
FT_FREE( temp );
|
... | ... | @@ -1967,7 +1967,7 @@ |
1967 | 1967 |
|
1968 | 1968 |
for (;;)
|
1969 | 1969 |
{
|
1970 |
- FT_ULong size;
|
|
1970 |
+ FT_Long size;
|
|
1971 | 1971 |
FT_Byte* base;
|
1972 | 1972 |
|
1973 | 1973 |
|
... | ... | @@ -2061,7 +2061,7 @@ |
2061 | 2061 |
FT_Byte* temp = NULL;
|
2062 | 2062 |
|
2063 | 2063 |
|
2064 |
- if ( size <= (FT_ULong)face->type1.private_dict.lenIV )
|
|
2064 |
+ if ( size <= face->type1.private_dict.lenIV )
|
|
2065 | 2065 |
{
|
2066 | 2066 |
error = FT_THROW( Invalid_File_Format );
|
2067 | 2067 |
goto Fail;
|
... | ... | @@ -2072,7 +2072,7 @@ |
2072 | 2072 |
goto Fail;
|
2073 | 2073 |
FT_MEM_COPY( temp, base, size );
|
2074 | 2074 |
psaux->t1_decrypt( temp, size, 4330 );
|
2075 |
- size -= (FT_ULong)face->type1.private_dict.lenIV;
|
|
2075 |
+ size -= face->type1.private_dict.lenIV;
|
|
2076 | 2076 |
error = T1_Add_Table( code_table, n,
|
2077 | 2077 |
temp + face->type1.private_dict.lenIV, size );
|
2078 | 2078 |
FT_FREE( temp );
|
... | ... | @@ -2324,7 +2324,7 @@ |
2324 | 2324 |
else if ( *cur == 'R' && cur + 6 < limit && *(cur + 1) == 'D' &&
|
2325 | 2325 |
have_integer )
|
2326 | 2326 |
{
|
2327 |
- FT_ULong s;
|
|
2327 |
+ FT_Long s;
|
|
2328 | 2328 |
FT_Byte* b;
|
2329 | 2329 |
|
2330 | 2330 |
|
... | ... | @@ -2337,7 +2337,7 @@ |
2337 | 2337 |
else if ( *cur == '-' && cur + 6 < limit && *(cur + 1) == '|' &&
|
2338 | 2338 |
have_integer )
|
2339 | 2339 |
{
|
2340 |
- FT_ULong s;
|
|
2340 |
+ FT_Long s;
|
|
2341 | 2341 |
FT_Byte* b;
|
2342 | 2342 |
|
2343 | 2343 |
|