qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

patches from Freetype.org for the security issues found by Robert Swiecki:

Browse Source 
CVE-2010-2497 freetype integer underflow
CVE-2010-2498 freetype invalid free
CVE-2010-2499 freetype buffer overflow
CVE-2010-2500 freetype integer overflow
CVE-2010-2519 freetype heap buffer overflow
CVE-2010-2520 freetype buffer overflow on heap
This commit is contained in:
matthieu 2010-07-17 14:06:43 +00:00
parent 6bc786a0c1
commit 2b3e93e33b
19 changed files with 266 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lib/freetype/include/freetype/config/ftoption.h
View File

@ -690,6 +690,27 @@ FT_BEGIN_HEADER
#define FT_CONFIG_OPTION_OLD_INTERNALS
/*
* To detect legacy cache-lookup call from a rogue client (<= 2.1.7),
* we restrict the number of charmaps in a font. The current API of
* FTC_CMapCache_Lookup() takes cmap_index & charcode, but old API
* takes charcode only. To determine the passed value is for cmap_index
* or charcode, the possible cmap_index is restricted not to exceed
* the minimum possible charcode by a rogue client. It is also very
* unlikely that a rogue client is interested in Unicode values 0 to 15.
*
* NOTE: The original threshold was 4 deduced from popular number of
* cmap subtables in UCS-4 TrueType fonts, but now it is not
* irregular for OpenType fonts to have more than 4 subtables,
* because variation selector subtables are available for Apple
* and Microsoft platforms.
*/
#ifdef FT_CONFIG_OPTION_OLD_INTERNALS
#define FT_MAX_CHARMAP_CACHEABLE 15
#endif
/*
* This macro is defined if either unpatented or native TrueType
* hinting is requested by the definitions above.

18
lib/freetype/include/freetype/fterrdef.h
View File

@ -4,7 +4,7 @@
/* */
/* FreeType error codes (specification). */
/* */
/* Copyright 2002, 2004, 2006, 2007 by */
/* Copyright 2002, 2004, 2006, 2007, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -220,19 +220,21 @@
"`FONT' field missing" )
FT_ERRORDEF_( Missing_Size_Field, 0xB2, \
"`SIZE' field missing" )
FT_ERRORDEF_( Missing_Chars_Field, 0xB3, \
FT_ERRORDEF_( Missing_Fontboundingbox_Field, 0xB3, \
"`FONTBOUNDINGBOX' field missing" )
FT_ERRORDEF_( Missing_Chars_Field, 0xB4, \
"`CHARS' field missing" )
FT_ERRORDEF_( Missing_Startchar_Field, 0xB4, \
FT_ERRORDEF_( Missing_Startchar_Field, 0xB5, \
"`STARTCHAR' field missing" )
FT_ERRORDEF_( Missing_Encoding_Field, 0xB5, \
FT_ERRORDEF_( Missing_Encoding_Field, 0xB6, \
"`ENCODING' field missing" )
FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \
FT_ERRORDEF_( Missing_Bbx_Field, 0xB7, \
"`BBX' field missing" )
FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \
FT_ERRORDEF_( Bbx_Too_Big, 0xB8, \
"`BBX' too big" )
FT_ERRORDEF_( Corrupted_Font_Header, 0xB8, \
FT_ERRORDEF_( Corrupted_Font_Header, 0xB9, \
"Font header corrupted or missing fields" )
FT_ERRORDEF_( Corrupted_Font_Glyphs, 0xB9, \
FT_ERRORDEF_( Corrupted_Font_Glyphs, 0xBA, \
"Font glyphs corrupted or missing fields" )

9
lib/freetype/src/autofit/afglobal.c
View File

@ -4,7 +4,7 @@
/* */
/* Auto-fitter routines to compute global hinting values (body). */
/* */
/* Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
/* Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -167,8 +167,11 @@
for ( nn = 0; nn < globals->glyph_count; nn++ )
{
if ( gscripts[nn] == AF_SCRIPT_LIST_NONE )
gscripts[nn] = AF_SCRIPT_LIST_DEFAULT;
if ( ( gscripts[nn] & ~AF_DIGIT ) == AF_SCRIPT_LIST_NONE )
{
gscripts[nn] &= ~AF_SCRIPT_LIST_NONE;
gscripts[nn] |= AF_SCRIPT_LIST_DEFAULT;
}
}
}

79
lib/freetype/src/base/ftobjs.c
View File

@ -992,6 +992,14 @@
( cur[0]->platform_id == TT_PLATFORM_APPLE_UNICODE &&
cur[0]->encoding_id == TT_APPLE_ID_UNICODE_32 ) )
{
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( cur - first > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "find_unicode_charmap: UCS-4 cmap is found "
"at too late position (%d)\n", cur - first ));
continue;
}
#endif
face->charmap = cur[0];
return FT_Err_Ok;
}
@ -1006,6 +1014,14 @@
{
if ( cur[0]->encoding == FT_ENCODING_UNICODE )
{
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( cur - first > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "find_unicode_charmap: UCS-2 cmap is found "
"at too late position (%d)\n", cur - first ));
continue;
}
#endif
face->charmap = cur[0];
return FT_Err_Ok;
}
@ -1047,6 +1063,14 @@
if ( cur[0]->platform_id == TT_PLATFORM_APPLE_UNICODE &&
cur[0]->encoding_id == TT_APPLE_ID_VARIANT_SELECTOR &&
FT_Get_CMap_Format( cur[0] ) == 14 )
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( cur - first > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "find_unicode_charmap: UVS cmap is found "
"at too late position (%d)\n", cur - first ));
continue;
}
#endif
return cur[0];
}
@ -1548,11 +1572,25 @@
goto Exit;
if ( FT_READ_USHORT( flags ) )
goto Exit;
rlen -= 2; /* the flags are part of the resource */
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
i, offsets[i], rlen, flags ));
if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
continue;
/* the flags are part of the resource, so rlen >= 2. */
/* but some fonts declare rlen = 0 for empty fragment */
if ( rlen > 2 )
rlen -= 2;
else
rlen = 0;
if ( ( flags >> 8 ) == type )
len += rlen;
else
{
if ( pfb_lenpos + 3 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@ -1561,6 +1599,8 @@
if ( ( flags >> 8 ) == 5 ) /* End of font mark */
break;
if ( pfb_pos + 6 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_pos++] = 0x80;
type = flags >> 8;
@ -1575,12 +1615,18 @@
}
error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
if ( error )
goto Exit2;
pfb_pos += rlen;
}
if ( pfb_pos + 2 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_pos++] = 0x80;
pfb_data[pfb_pos++] = 3;
if ( pfb_lenpos + 3 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@ -2901,6 +2947,15 @@
{
if ( cur[0]->encoding == encoding )
{
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( cur - face->charmaps > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "FT_Select_Charmap: requested charmap is found (%d), "
"but in too late position to cache\n",
cur - face->charmaps ));
continue;
}
#endif
face->charmap = cur[0];
return 0;
}
@ -2935,6 +2990,15 @@
{
if ( cur[0] == charmap )
{
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( cur - face->charmaps > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "FT_Set_Charmap: requested charmap is found (%d), "
"but in too late position to cache\n",
cur - face->charmaps ));
continue;
}
#endif
face->charmap = cur[0];
return 0;
}
@ -2957,6 +3021,15 @@
FT_ASSERT( i < charmap->face->num_charmaps );
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( i > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "FT_Get_Charmap_Index: requested charmap is found (%d), "
"but in too late position to cache\n",
i ));
return -i;
}
#endif
return i;
}
@ -3109,7 +3182,7 @@
FT_UInt gindex = 0;
if ( face && face->charmap )
if ( face && face->charmap && face->num_glyphs )
{
gindex = FT_Get_Char_Index( face, 0 );
if ( gindex == 0 )
@ -3134,7 +3207,7 @@
FT_UInt gindex = 0;
if ( face && face->charmap )
if ( face && face->charmap && face->num_glyphs )
{
FT_UInt32 code = (FT_UInt32)charcode;
FT_CMap cmap = FT_CMAP( face->charmap );

29
lib/freetype/src/bdf/bdflib.c
View File

@ -1,6 +1,6 @@
/*
* Copyright 2000 Computing Research Labs, New Mexico State University
* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2009
* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2009, 2010
* Francesco Zappa Nardelli
*
* Permission is hereby granted, free of charge, to any person obtaining a
@ -470,6 +470,11 @@
}
/* An empty string for empty fields. */
static const char empty[1] = { 0 }; /* XXX eliminate this */
static char *
_bdf_list_join( _bdf_list_t* list,
int c,
@ -494,18 +499,14 @@
if ( i + 1 < list->used )
dp[j++] = (char)c;
}
dp[j] = 0;
if ( dp != empty )
dp[j] = 0;
*alen = j;
return dp;
}
/* An empty string for empty fields. */
static const char empty[1] = { 0 }; /* XXX eliminate this */
static FT_Error
_bdf_list_split( _bdf_list_t* list,
char* separators,
@ -1867,6 +1868,9 @@
error = BDF_Err_Invalid_File_Format;
Exit:
if ( error && ( p->flags & _BDF_GLYPH ) )
FT_FREE( p->glyph_name );
return error;
}
@ -2077,6 +2081,14 @@
/* Check for the start of the properties. */
if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 )
{
if ( !(p->flags & _BDF_FONT_BBX ) )
{
/* Missing the FONTBOUNDINGBOX field. */
FT_ERROR(( "_bdf_parse_start: " ERRMSG1, lineno, "FONTBOUNDINGBOX" ));
error = BDF_Err_Missing_Fontboundingbox_Field;
goto Exit;
}
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
goto Exit;
@ -2139,6 +2151,9 @@
goto Exit;
}
/* Allowing multiple `FONT' lines (which is invalid) doesn't hurt... */
FT_FREE( p->font->name );
if ( FT_NEW_ARRAY( p->font->name, slen + 1 ) )
goto Exit;
FT_MEM_COPY( p->font->name, s, slen + 1 );

24
lib/freetype/src/cache/ftccmap.c vendored
View File

@ -310,19 +310,11 @@
#ifdef FT_CONFIG_OPTION_OLD_INTERNALS
/*
* Detect a call from a rogue client that thinks it is linking
* to FreeType 2.1.7. This is possible because the third parameter
* is then a character code, and we have never seen any font with
* more than a few charmaps, so if the index is very large...
*
* It is also very unlikely that a rogue client is interested
* in Unicode values 0 to 15.
*
* NOTE: The original threshold was 4, but we found a font from the
* Adobe Acrobat Reader Pack, named `KozMinProVI-Regular.otf',
* which contains more than 5 charmaps.
* If cmap_index is greater than the maximum number of cachable
* charmaps, we assume the request is from a legacy rogue client
* using old internal header. See include/config/ftoption.h.
*/
if ( cmap_index >= 16 && !no_cmap_change )
if ( cmap_index > FT_MAX_CHARMAP_CACHEABLE && !no_cmap_change )
{
FTC_OldCMapDesc desc = (FTC_OldCMapDesc) face_id;
@ -384,7 +376,7 @@
/* something rotten can happen with rogue clients */
if ( (FT_UInt)( char_code - FTC_CMAP_NODE( node )->first >=
FTC_CMAP_INDICES_MAX ) )
return 0;
return 0; /* XXX: should return appropriate error */
gindex = FTC_CMAP_NODE( node )->indices[char_code -
FTC_CMAP_NODE( node )->first];
@ -401,6 +393,12 @@
if ( error )
goto Exit;
#ifdef FT_MAX_CHARMAP_CACHEABLE
/* something rotten can happen with rogue clients */
if ( cmap_index > FT_MAX_CHARMAP_CACHEABLE )
return 0; /* XXX: should return appropriate error */
#endif
if ( (FT_UInt)cmap_index < (FT_UInt)face->num_charmaps )
{
FT_CharMap old, cmap = NULL;

2
lib/freetype/src/cff/cffgload.c
View File

@ -2276,6 +2276,8 @@
/* this is the implementation described for `unknown' other */
/* subroutines in the Type1 spec. */
args -= 2 + ( args[-2] >> 16 );
if ( args < stack )
goto Stack_Underflow;
break;
case cff_op_pop:

19
lib/freetype/src/cff/cffobjs.c
View File

@ -863,6 +863,16 @@
if ( pure_cff && cff->top_font.font_dict.cid_registry != 0xFFFFU )
goto Exit;
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( nn + 1 > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "cff_face_init: no Unicode cmap is found, "
"and too many subtables (%d) to add synthesized cmap\n",
nn ));
goto Exit;
}
#endif
/* we didn't find a Unicode charmap -- synthesize one */
cmaprec.face = cffface;
cmaprec.platform_id = 3;
@ -878,6 +888,15 @@
cffface->charmap = cffface->charmaps[nn];
Skip_Unicode:
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( nn > FT_MAX_CHARMAP_CACHEABLE )
{
FT_ERROR(( "cff_face_init: Unicode cmap is found, "
"but too many preceding subtables (%d) to access\n",
nn - 1 ));
goto Exit;
}
#endif
if ( encoding->count > 0 )
{
FT_CMap_Class clazz;

7
lib/freetype/src/cff/cffparse.c
View File

@ -337,6 +337,13 @@
fraction_length += integer_length;
}
/* this can only happen if exponent was non-zero */
if ( fraction_length == 10 )
{
number /= 10;
fraction_length -= 1;
}
/* Convert into 16.16 format. */
if ( fraction_length > 0 )
{

6
lib/freetype/src/pcf/pcfread.c
View File

@ -2,7 +2,8 @@
FreeType font driver for pcf fonts
Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by
Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
2010 by
Francesco Zappa Nardelli
Permission is hereby granted, free of charge, to any person obtaining a copy
@ -607,6 +608,9 @@ THE SOFTWARE.
face->nmetrics = nmetrics;
if ( !nmetrics )
return PCF_Err_Invalid_Table;
FT_TRACE4(( "pcf_get_metrics:\n" ));
FT_TRACE4(( " number of metrics: %d\n", nmetrics ));

24
lib/freetype/src/pfr/pfrgload.c
View File

@ -4,7 +4,7 @@
/* */
/* FreeType PFR glyph loader (body). */
/* */
/* Copyright 2002, 2003, 2005, 2007 by */
/* Copyright 2002, 2003, 2005, 2007, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -268,8 +268,8 @@
{
PFR_CHECK( 1 );
count = PFR_NEXT_BYTE( p );
x_count = ( count & 15 );
y_count = ( count >> 4 );
x_count = count & 15;
y_count = count >> 4;
}
else
{
@ -388,7 +388,7 @@
case 2: /* horizontal line to */
FT_TRACE6(( "- horizontal line to cx.%d", format_low ));
if ( format_low > x_count )
if ( format_low >= x_count )
goto Failure;
pos[0].x = glyph->x_control[format_low];
pos[0].y = pos[3].y;
@ -398,7 +398,7 @@
case 3: /* vertical line to */
FT_TRACE6(( "- vertical line to cy.%d", format_low ));
if ( format_low > y_count )
if ( format_low >= y_count )
goto Failure;
pos[0].x = pos[3].x;
pos[0].y = glyph->y_control[format_low];
@ -440,7 +440,7 @@
case 0: /* 8-bit index */
PFR_CHECK( 1 );
idx = PFR_NEXT_BYTE( p );
if ( idx > x_count )
if ( idx >= x_count )
goto Failure;
cur->x = glyph->x_control[idx];
FT_TRACE7(( " cx#%d", idx ));
@ -470,7 +470,7 @@
case 0: /* 8-bit index */
PFR_CHECK( 1 );
idx = PFR_NEXT_BYTE( p );
if ( idx > y_count )
if ( idx >= y_count )
goto Failure;
cur->y = glyph->y_control[idx];
FT_TRACE7(( " cy#%d", idx ));
@ -598,6 +598,16 @@
FT_UInt new_max = ( org_count + count + 3 ) & (FT_UInt)-4;
/* we arbitrarily limit the number of subglyphs */
/* to avoid endless recursion */
if ( new_max > 64 )
{
error = PFR_Err_Invalid_Table;
FT_ERROR(( "pfr_glyph_load_compound:"
" too many compound glyphs components\n" ));
goto Exit;
}
if ( FT_RENEW_ARRAY( glyph->subs, glyph->max_subs, new_max ) )
goto Exit;

13
lib/freetype/src/pfr/pfrobjs.c
View File

@ -4,7 +4,7 @@
/* */
/* FreeType PFR object methods (body). */
/* */
/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008 by */
/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -147,7 +147,16 @@
break;
if ( nn == phy_font->num_chars )
pfrface->face_flags = 0; /* not scalable */
{
if ( phy_font->num_strikes > 0 )
pfrface->face_flags = 0; /* not scalable */
else
{
FT_ERROR(( "pfr_face_init: font doesn't contain glyphs\n" ));
error = PFR_Err_Invalid_File_Format;
goto Exit;
}
}
}
if ( (phy_font->flags & PFR_PHY_PROPORTIONAL) == 0 )

7
lib/freetype/src/psaux/psobjs.c
View File

@ -1588,6 +1588,13 @@
FT_Error error;
/* this might happen in invalid fonts */
if ( !outline )
{
FT_ERROR(( "t1_builder_add_contour: no outline to add points to\n" ));
return PSaux_Err_Invalid_File_Format;
}
if ( !builder->load_points )
{
outline->n_contours++;

12
lib/freetype/src/pshinter/pshalgo.c
View File

@ -4,7 +4,8 @@
/* */
/* PostScript hinting algorithm (body). */
/* */
/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 */
/* by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used */
@ -1690,7 +1691,10 @@
/* process secondary hints to `selected' points */
if ( num_masks > 1 && glyph->num_points > 0 )
{
first = mask->end_point;
/* the `endchar' op can reduce the number of points */
first = mask->end_point > glyph->num_points
? glyph->num_points
: mask->end_point;
mask++;
for ( ; num_masks > 1; num_masks--, mask++ )
{
@ -1698,7 +1702,9 @@
FT_Int count;
next = mask->end_point;
next = mask->end_point > glyph->num_points
? glyph->num_points
: mask->end_point;
count = next - first;
if ( count > 0 )
{

15
lib/freetype/src/sfnt/ttcmap.c
View File

@ -4,7 +4,7 @@
/* */
/* TrueType character mapping table (cmap) support (body). */
/* */
/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -3391,11 +3391,12 @@
FT_Byte* limit = table + face->cmap_size;
FT_UInt volatile num_cmaps;
FT_Byte* volatile p = table;
FT_Library library = FT_FACE_LIBRARY(face);
FT_UNUSED(library);
FT_Library library = FT_FACE_LIBRARY( face );
FT_UNUSED( library );
if ( p + 4 > limit )
if ( !p || p + 4 > limit )
return SFNT_Err_Invalid_Table;
/* only recognize format 0 */
@ -3409,6 +3410,12 @@
}
num_cmaps = TT_NEXT_USHORT( p );
#ifdef FT_MAX_CHARMAP_CACHEABLE
if ( num_cmaps > FT_MAX_CHARMAP_CACHEABLE )
FT_ERROR(( "tt_face_build_cmaps: too many cmap subtables(%d) "
"subtable#%d and later are loaded but cannot be searched\n",
num_cmaps, FT_MAX_CHARMAP_CACHEABLE + 1 ));
#endif
for ( ; num_cmaps > 0 && p + 8 <= limit; num_cmaps-- )
{

12
lib/freetype/src/sfnt/ttload.c
View File

@ -5,7 +5,8 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (body). */
/* */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */
/* 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -693,6 +694,15 @@
maxProfile->maxTwilightPoints = 0xFFFFU - 4;
}
/* we arbitrarily limit recursion to avoid stack exhaustion */
if ( maxProfile->maxComponentDepth > 100 )
{
FT_TRACE0(( "tt_face_load_maxp:"
" abnormally large component depth (%d) set to 100\n",
maxProfile->maxComponentDepth ));
maxProfile->maxComponentDepth = 100;
}
}
FT_TRACE3(( "numGlyphs: %u\n", maxProfile->numGlyphs ));

39
lib/freetype/src/smooth/ftgrays.c
View File

@ -1007,45 +1007,40 @@
const FT_Vector* control2,
const FT_Vector* to )
{
TPos dx, dy, da, db;
TPos dx, dy;
TPos mid_x, mid_y;
int top, level;
int* levels;
FT_Vector* arc;
dx = DOWNSCALE( ras.x ) + to->x - ( control1->x << 1 );
/* Calculate midpoint and compare it with start and end. */
mid_x = ( DOWNSCALE( ras.x ) + to->x +
3 * ( control1->x + control2->x ) ) / 8;
mid_y = ( DOWNSCALE( ras.y ) + to->y +
3 * ( control1->y + control2->y ) ) / 8;
dx = DOWNSCALE( ras.x ) + to->x - ( mid_x << 1 );
if ( dx < 0 )
dx = -dx;
dy = DOWNSCALE( ras.y ) + to->y - ( control1->y << 1 );
dy = DOWNSCALE( ras.y ) + to->y - ( mid_y << 1 );
if ( dy < 0 )
dy = -dy;
if ( dx < dy )
dx = dy;
da = dx;
dx = DOWNSCALE( ras.x ) + to->x - 3 * ( control1->x + control2->x );
if ( dx < 0 )
dx = -dx;
dy = DOWNSCALE( ras.y ) + to->y - 3 * ( control1->x + control2->y );
if ( dy < 0 )
dy = -dy;
if ( dx < dy )
dx = dy;
db = dx;
/* Check whether an approximation with straight lines is sufficient. */
level = 1;
da = da / ras.cubic_level;
db = db / ras.conic_level;
while ( da > 0 || db > 0 )
dx = dx / ras.conic_level;
while ( dx > 0 )
{
da >>= 2;
db >>= 3;
dx >>= 3;
level++;
}
if ( level <= 1 )
{
TPos to_x, to_y, mid_x, mid_y;
TPos to_x, to_y;
to_x = UPSCALE( to->x );
@ -1104,7 +1099,7 @@
Draw:
{
TPos to_x, to_y, mid_x, mid_y;
TPos to_x, to_y;
to_x = arc[0].x;
@ -1189,7 +1184,7 @@
/* first of all, compute the scanline offset */
p = (unsigned char*)map->buffer - y * map->pitch;
if ( map->pitch >= 0 )
p += ( map->rows - 1 ) * map->pitch;
p += (unsigned)( ( map->rows - 1 ) * map->pitch );
for ( ; count > 0; count--, spans++ )
{

4
lib/freetype/src/smooth/ftsmooth.c
View File

@ -4,7 +4,7 @@
/* */
/* Anti-aliasing renderer interface (body). */
/* */
/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */
/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@ -207,7 +207,7 @@
/* Required check is ( pitch * height < FT_ULONG_MAX ), */
/* but we care realistic cases only. Always pitch <= width. */
if ( width > 0xFFFFU || height > 0xFFFFU )
if ( width > 0x7FFFU || height > 0x7FFFU )
{
FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
width, height ));

4
lib/freetype/src/truetype/ttinterp.c
View File

@ -6466,8 +6466,8 @@
end_point = CUR.pts.contours[contour] - CUR.pts.first_point;
first_point = point;
if ( CUR.pts.n_points <= end_point )
end_point = CUR.pts.n_points;
if ( BOUNDS ( end_point, CUR.pts.n_points ) )
end_point = CUR.pts.n_points - 1;
while ( point <= end_point && ( CUR.pts.tags[point] & mask ) == 0 )
point++;