[cairo] [cairo-commit] 3 commits - src/cairo-cff-subset.c src/cairo-ft-font.c src/cairo.h src/cairoint.h src/cairo-pdf-surface.c src/cairo-pdf-surface-private.h src/cairo-scaled-font-subsets-private.h src/cairo-surface.c src/cairo-truetype-subset.c src/cairo-truetype-subset-private.h src/cairo-type1-subset.c src/cairo-win32-font.c
Behdad Esfahbod
behdad at behdad.org
Mon Nov 22 07:42:35 PST 2010
Hi Adrian,
On 11/22/10 08:46, Adrian Johnson wrote:
> + cairo_status_t status;
> + const cairo_scaled_font_backend_t *backend;
> + tt_os2_t os2;
> + unsigned long size;
> + uint16_t selection;
> +
> + backend = scaled_font->backend;
> + if (!backend->load_truetype_table)
> + return CAIRO_INT_STATUS_UNSUPPORTED;
> +
> + size = sizeof (os2);
> + status = backend->load_truetype_table (scaled_font,
> + TT_TAG_OS2, 0,
> + (unsigned char *) &os2,
> + &size);
> + if (status)
> + return status;
As far as I understand, this code will use uninitialized memory if, say, the
OS/2 table is shorter than expected. For the least, you have to initialize
the os2 variable, like:
tt_os2_t os2 = {0};
Same issue with all the other load_truetype_table() calls.
behdad
> + *weight = be16_to_cpu (os2.usWeightClass);
> + selection = be16_to_cpu (os2.fsSelection);
> + *bold = (selection & TT_FS_SELECTION_BOLD) ? TRUE : FALSE;
> + *italic = (selection & TT_FS_SELECTION_ITALIC) ? TRUE : FALSE;
> +
> + return CAIRO_STATUS_SUCCESS;
> +}
> +
More information about the cairo
mailing list