Upload tizen 2.0 beta source

[framework/graphics/freetype.git] / src / cid / cidload.c

diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index 3bb3594..3b840b7 100644 (file)
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    CID-keyed Type1 font loader (body).                                  */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by             */
+/*  Copyright 1996-2006, 2009, 2011-2012 by                                */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -110,7 +110,7 @@
         CID_FaceDict  dict;
 
 
-        if ( parser->num_dict < 0 )
+        if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
         {
           FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",
                      keyword->ident ));
@@ -147,8 +147,8 @@
 
 
   FT_CALLBACK_DEF( FT_Error )
-  parse_font_matrix( CID_Face     face,
-                     CID_Parser*  parser )
+  cid_parse_font_matrix( CID_Face     face,
+                         CID_Parser*  parser )
   {
     FT_Matrix*    matrix;
     FT_Vector*    offset;
@@ -158,7 +158,7 @@
     FT_Fixed      temp_scale;
 
 
-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
     {
       dict   = face->cid.font_dicts + parser->num_dict;
       matrix = &dict->font_matrix;
@@ -249,7 +249,7 @@
     CID_FaceDict  dict;
 
 
-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
     {
       dict = face->cid.font_dicts + parser->num_dict;
 
@@ -268,7 +268,7 @@
 #include "cidtoken.h"
 
     T1_FIELD_CALLBACK( "FDArray",         parse_fd_array, 0 )
-    T1_FIELD_CALLBACK( "FontMatrix",      parse_font_matrix, 0 )
+    T1_FIELD_CALLBACK( "FontMatrix",      cid_parse_font_matrix, 0 )
     T1_FIELD_CALLBACK( "ExpansionFactor", parse_expansion_factor, 0 )
 
     { 0, T1_FIELD_LOCATION_CID_INFO, T1_FIELD_TYPE_NONE, 0, 0, 0, 0, 0, 0 }
@@ -413,12 +413,25 @@
       FT_Byte*      p;
 
 
+      /* Check for possible overflow. */
+      if ( num_subrs == FT_UINT_MAX )
+      {
+        error = CID_Err_Syntax_Error;
+        goto Fail;
+      }
+
       /* reallocate offsets array if needed */
       if ( num_subrs + 1 > max_offsets )
       {
         FT_UInt  new_max = FT_PAD_CEIL( num_subrs + 1, 4 );
 
 
+        if ( new_max <= max_offsets )
+        {
+          error = CID_Err_Syntax_Error;
+          goto Fail;
+        }
+
         if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
           goto Fail;
 
@@ -436,6 +449,11 @@
 
       FT_FRAME_EXIT();
 
+      /* offsets must be ordered */
+      for ( count = 1; count <= num_subrs; count++ )
+        if ( offsets[count - 1] > offsets[count] )
+          goto Fail;
+
       /* now, compute the size of subrs charstrings, */
       /* allocate, and read them                     */
       data_len = offsets[num_subrs] - offsets[0];
@@ -495,8 +513,8 @@
 
 
   static void
-  t1_init_loader( CID_Loader*  loader,
-                  CID_Face     face )
+  cid_init_loader( CID_Loader*  loader,
+                   CID_Face     face )
   {
     FT_UNUSED( face );
 
@@ -504,8 +522,8 @@
   }
 
 
-  static void
-  t1_done_loader( CID_Loader*  loader )
+  static  void
+  cid_done_loader( CID_Loader*  loader )
   {
     CID_Parser*  parser = &loader->parser;
 
@@ -623,7 +641,7 @@
     FT_Error     error;
 
 
-    t1_init_loader( &loader, face );
+    cid_init_loader( &loader, face );
 
     parser = &loader.parser;
     error = cid_parser_new( parser, face->root.stream, face->root.memory,
@@ -664,7 +682,7 @@
     error = cid_read_subrs( face );
 
   Exit:
-    t1_done_loader( &loader );
+    cid_done_loader( &loader );
     return error;
   }