diff options
Diffstat (limited to 'src/3rdparty/freetype/src/gxvalid/gxvmort2.c')
-rw-r--r-- | src/3rdparty/freetype/src/gxvalid/gxvmort2.c | 81 |
1 files changed, 55 insertions, 26 deletions
diff --git a/src/3rdparty/freetype/src/gxvalid/gxvmort2.c b/src/3rdparty/freetype/src/gxvalid/gxvmort2.c index 6f77cf39ce..099ffd48c9 100644 --- a/src/3rdparty/freetype/src/gxvalid/gxvmort2.c +++ b/src/3rdparty/freetype/src/gxvalid/gxvmort2.c @@ -57,11 +57,11 @@ static void gxv_mort_subtable_type2_opttable_load( FT_Bytes table, FT_Bytes limit, - GXV_Validator valid ) + GXV_Validator gxvalid ) { - FT_Bytes p = table; + FT_Bytes p = table; GXV_mort_subtable_type2_StateOptRecData optdata = - (GXV_mort_subtable_type2_StateOptRecData)valid->statetable.optdata; + (GXV_mort_subtable_type2_StateOptRecData)gxvalid->statetable.optdata; GXV_LIMIT_CHECK( 2 + 2 + 2 ); @@ -86,14 +86,14 @@ FT_UShort *classTable_length_p, FT_UShort *stateArray_length_p, FT_UShort *entryTable_length_p, - GXV_Validator valid ) + GXV_Validator gxvalid ) { FT_UShort o[6]; FT_UShort *l[6]; FT_UShort buff[7]; GXV_mort_subtable_type2_StateOptRecData optdata = - (GXV_mort_subtable_type2_StateOptRecData)valid->statetable.optdata; + (GXV_mort_subtable_type2_StateOptRecData)gxvalid->statetable.optdata; GXV_NAME_ENTER( "subtable boundaries setup" ); @@ -111,7 +111,7 @@ l[4] = &(optdata->componentTable_length); l[5] = &(optdata->ligatureTable_length); - gxv_set_length_by_ushort_offset( o, l, buff, 6, table_size, valid ); + gxv_set_length_by_ushort_offset( o, l, buff, 6, table_size, gxvalid ); GXV_TRACE(( "classTable: offset=0x%04x length=0x%04x\n", classTable, *classTable_length_p )); @@ -137,11 +137,11 @@ gxv_mort_subtable_type2_ligActionOffset_validate( FT_Bytes table, FT_UShort ligActionOffset, - GXV_Validator valid ) + GXV_Validator gxvalid ) { /* access ligActionTable */ GXV_mort_subtable_type2_StateOptRecData optdata = - (GXV_mort_subtable_type2_StateOptRecData)valid->statetable.optdata; + (GXV_mort_subtable_type2_StateOptRecData)gxvalid->statetable.optdata; FT_Bytes lat_base = table + optdata->ligActionTable; FT_Bytes p = table + ligActionOffset; @@ -155,8 +155,7 @@ ligActionOffset, lat_base - p )); /* FontValidator, ftxvalidator, ftxdumperfuser warn but continue */ - if ( valid->root->level >= FT_VALIDATE_PARANOID ) - FT_INVALID_OFFSET; + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); } else if ( lat_limit < p ) { @@ -164,23 +163,46 @@ ligActionOffset, p - lat_limit )); /* FontValidator, ftxvalidator, ftxdumperfuser warn but continue */ - if ( valid->root->level >= FT_VALIDATE_PARANOID ) - FT_INVALID_OFFSET; + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); } else { /* validate entry in ligActionTable */ FT_ULong lig_action; +#ifdef GXV_LOAD_UNUSED_VARS FT_UShort last; FT_UShort store; +#endif FT_ULong offset; lig_action = FT_NEXT_ULONG( p ); +#ifdef GXV_LOAD_UNUSED_VARS last = (FT_UShort)( ( lig_action >> 31 ) & 1 ); store = (FT_UShort)( ( lig_action >> 30 ) & 1 ); +#endif + /* Apple spec defines this offset as a word offset */ offset = lig_action & 0x3FFFFFFFUL; + if ( offset * 2 < optdata->ligatureTable ) + { + GXV_TRACE(( "too short offset 0x%08x:" + " 2 x offset < ligatureTable (%d byte rewind)\n", + offset, optdata->ligatureTable - offset * 2 )); + + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); + } else if ( offset * 2 > + optdata->ligatureTable + optdata->ligatureTable_length ) + { + GXV_TRACE(( "too long offset 0x%08x:" + " 2 x offset > ligatureTable + ligatureTable_length" + " (%d byte overrun)\n", + offset, + optdata->ligatureTable + optdata->ligatureTable_length + - offset * 2 )); + + GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); + } } } @@ -192,10 +214,12 @@ GXV_StateTable_GlyphOffsetCPtr glyphOffset_p, FT_Bytes table, FT_Bytes limit, - GXV_Validator valid ) + GXV_Validator gxvalid ) { +#ifdef GXV_LOAD_UNUSED_VARS FT_UShort setComponent; FT_UShort dontAdvance; +#endif FT_UShort offset; FT_UNUSED( state ); @@ -203,23 +227,25 @@ FT_UNUSED( limit ); +#ifdef GXV_LOAD_UNUSED_VARS setComponent = (FT_UShort)( ( flags >> 15 ) & 1 ); dontAdvance = (FT_UShort)( ( flags >> 14 ) & 1 ); +#endif offset = (FT_UShort)( flags & 0x3FFFU ); if ( 0 < offset ) gxv_mort_subtable_type2_ligActionOffset_validate( table, offset, - valid ); + gxvalid ); } static void gxv_mort_subtable_type2_ligatureTable_validate( FT_Bytes table, - GXV_Validator valid ) + GXV_Validator gxvalid ) { GXV_mort_subtable_type2_StateOptRecData optdata = - (GXV_mort_subtable_type2_StateOptRecData)valid->statetable.optdata; + (GXV_mort_subtable_type2_StateOptRecData)gxvalid->statetable.optdata; FT_Bytes p = table + optdata->ligatureTable; FT_Bytes limit = table + optdata->ligatureTable @@ -237,6 +263,9 @@ GXV_LIMIT_CHECK( 2 ); lig_gid = FT_NEXT_USHORT( p ); + + if ( gxvalid->face->num_glyphs < lig_gid ) + GXV_SET_ERR_IF_PARANOID( FT_INVALID_GLYPH_ID ); } } GXV_EXIT; @@ -246,7 +275,7 @@ FT_LOCAL_DEF( void ) gxv_mort_subtable_type2_validate( FT_Bytes table, FT_Bytes limit, - GXV_Validator valid ) + GXV_Validator gxvalid ) { FT_Bytes p = table; @@ -257,23 +286,23 @@ GXV_LIMIT_CHECK( GXV_MORT_SUBTABLE_TYPE2_HEADER_SIZE ); - valid->statetable.optdata = + gxvalid->statetable.optdata = &lig_rec; - valid->statetable.optdata_load_func = + gxvalid->statetable.optdata_load_func = gxv_mort_subtable_type2_opttable_load; - valid->statetable.subtable_setup_func = + gxvalid->statetable.subtable_setup_func = gxv_mort_subtable_type2_subtable_setup; - valid->statetable.entry_glyphoffset_fmt = + gxvalid->statetable.entry_glyphoffset_fmt = GXV_GLYPHOFFSET_NONE; - valid->statetable.entry_validate_func = + gxvalid->statetable.entry_validate_func = gxv_mort_subtable_type2_entry_validate; - gxv_StateTable_validate( p, limit, valid ); + gxv_StateTable_validate( p, limit, gxvalid ); - p += valid->subtable_length; - gxv_mort_subtable_type2_ligatureTable_validate( table, valid ); + p += gxvalid->subtable_length; + gxv_mort_subtable_type2_ligatureTable_validate( table, gxvalid ); - valid->subtable_length = p - table; + gxvalid->subtable_length = p - table; GXV_EXIT; } |