[cairo-commit] 2 commits - src/cairo-truetype-subset.c

[Adrian Johnson]

 src/cairo-truetype-subset.c |   19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

New commits:
commit 2d42f5ac27494f2bfd75e7bba42fd36783e053eb
Author: Adrian Johnson <ajohnson at redneon.com>
Date:   Fri Apr 4 20:29:12 2008 +1030

    TrueType: Fix buffer check
    
    bb76eb50 added some checks to ensure we do not read past the end of
    the buffer for the loaded glyph. However the checks assumed
    tt_composite_glyph_t has a fixed size. tt_composite_glyph_t has a
    variable size that depends on the values with the struct.

diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
index f88079b..c3f0b05 100644
--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
@@ -505,27 +505,30 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t	*font,
 					   unsigned long		 size)
 {
     tt_glyph_data_t *glyph_data;
-    tt_composite_glyph_t *composite_glyph, *last_glyph;
+    tt_composite_glyph_t *composite_glyph;
     int num_args;
     int has_more_components;
     unsigned short flags;
     unsigned short index;
     cairo_status_t status;
+    unsigned char *end = buffer + size;
 
     if (font->status)
 	return font->status;
 
-    if (size < sizeof (tt_glyph_data_t))
+    glyph_data = (tt_glyph_data_t *) buffer;
+    if ((unsigned char *)(&glyph_data->data) >= end)
 	return CAIRO_INT_STATUS_UNSUPPORTED;
 
-    glyph_data = (tt_glyph_data_t *) buffer;
     if ((int16_t)be16_to_cpu (glyph_data->num_contours) >= 0)
         return CAIRO_STATUS_SUCCESS;
 
     composite_glyph = &glyph_data->glyph;
-    last_glyph = (tt_composite_glyph_t *) (buffer + size);
     do {
-        flags = be16_to_cpu (composite_glyph->flags);
+	if ((unsigned char *)(&composite_glyph->args[1]) >= end)
+	    return CAIRO_INT_STATUS_UNSUPPORTED;
+
+	flags = be16_to_cpu (composite_glyph->flags);
         has_more_components = flags & TT_MORE_COMPONENTS;
         status = cairo_truetype_font_use_glyph (font, be16_to_cpu (composite_glyph->index), &index);
 	if (status)
@@ -542,9 +545,6 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t	*font,
         else if (flags & TT_WE_HAVE_A_TWO_BY_TWO)
             num_args += 3;
         composite_glyph = (tt_composite_glyph_t *) &(composite_glyph->args[num_args]);
-
-	if (has_more_components && composite_glyph >= last_glyph)
-	    return CAIRO_INT_STATUS_UNSUPPORTED;
     } while (has_more_components);
 
     return CAIRO_STATUS_SUCCESS;
commit 7dbb2dec33bb91b3d89a8072283297025817d0c6
Author: Adrian Johnson <ajohnson at redneon.com>
Date:   Fri Apr 4 19:48:55 2008 +1030

    TrueType: Remove assert
    
    If the status is UNSUPPORTED we should let type1-fallback subset it.

diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
index 4451767..f88079b 100644
--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
@@ -1085,7 +1085,8 @@ _cairo_truetype_subset_init (cairo_truetype_subset_t    *truetype_subset,
     for (i = 0; i < font->scaled_font_subset->num_glyphs; i++) {
 	unsigned short parent_glyph = font->scaled_font_subset->glyphs[i];
 	status = cairo_truetype_font_use_glyph (font, parent_glyph, &parent_glyph);
-	assert (status == CAIRO_STATUS_SUCCESS);
+	if (status)
+	    goto fail1;
     }
 
     cairo_truetype_font_create_truetype_table_list (font);