1 Author: Jaroslav Škarvada <jskarvad@redhat.com>
2 Description: Fix more crashes on oversized fonts
3 Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
4 Index: t1lib-5.1.2/lib/type1/lines.c
5 ===================================================================
6 --- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600
7 +++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600
8 @@ -67,6 +67,10 @@
9 None.
10 */
11
12 +#define BITS (sizeof(LONG)*8)
13 +#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
14 +#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
15 +
16 /*
17 :h2.StepLine() - Produces Run Ends for a Line After Checks
18
19 @@ -84,6 +88,9 @@
20 IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
21 x1, y1, x2, y2);
22
23 + if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
24 + abort("Lines this big not supported", 49);
25 +
26 dy = y2 - y1;
27
28 /*
29 Index: t1lib-5.1.2/lib/type1/objects.c
30 ===================================================================
31 --- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000 -0600
32 +++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600
33 @@ -1137,12 +1137,13 @@
34 "Context: out of them", /* 46 */
35 "MatrixInvert: can't", /* 47 */
36 "xiStub called", /* 48 */
37 - "Illegal access type1 abort() message" /* 49 */
38 + "Lines this big not supported", /* 49 */
39 + "Illegal access type1 abort() message" /* 50 */
40 };
41
42 - /* no is valid from 1 to 48 */
43 - if ( (number<1)||(number>48))
44 - number=49;
45 + /* no is valid from 1 to 49 */
46 + if ( (number<1)||(number>49))
47 + number=50;
48 return( err_msgs[number-1]);
49
50 }
51 Index: t1lib-5.1.2/lib/type1/type1.c
52 ===================================================================
53 --- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600
54 +++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600
55 @@ -1012,6 +1012,7 @@
56 double nextdtana = 0.0; /* tangent of post-delta against horizontal line */
57 double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
58
59 + if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
60
61 /* setup default hinted position */
62 ppoints[numppoints-1].ax = ppoints[numppoints-1].x;
63 @@ -1289,7 +1290,7 @@
64 static int DoRead(CodeP)
65 int *CodeP;
66 {
67 - if (strindex >= CharStringP->len) return(FALSE); /* end of string */
68 + if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
69 /* We handle the non-documented Adobe convention to use lenIV=-1 to
70 suppress charstring encryption. */
71 if (blues->lenIV==-1) {
72 @@ -1700,7 +1701,7 @@
73 long pindex = 0;
74
75 /* compute hinting for previous segment! */
76 - if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
77 + if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n");
78 FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
79
80 /* Allocate a new path point and pre-setup data */
81 @@ -1729,7 +1730,7 @@
82 long pindex = 0;
83
84 /* compute hinting for previous point! */
85 - if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
86 + if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
87 FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
88
89 /* Allocate three new path points and pre-setup data */
90 @@ -1788,7 +1789,9 @@
91 long tmpind;
92 double deltax = 0.0;
93 double deltay = 0.0;
94 -
95 +
96 + if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
97 +
98 /* If this ClosePath command together with the starting point of this
99 path completes to a segment aligned to a stem, we would miss
100 hinting for this point. --> Check and explicitly care for this! */
101 @@ -1803,6 +1806,7 @@
102 deltax = ppoints[i].x - ppoints[numppoints-1].x;
103 deltay = ppoints[i].y - ppoints[numppoints-1].y;
104
105 + if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
106 /* save nummppoints and reset to move point */
107 tmpind = numppoints;
108 numppoints = i + 1;
109 @@ -1905,7 +1909,7 @@
110 FindStems( currx, curry, 0, 0, dx, dy);
111 }
112 else {
113 - if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
114 + if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
115 FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
116 }
117
118 @@ -2155,6 +2159,7 @@
119 DOUBLE cx, cy;
120 DOUBLE ex, ey;
121
122 + if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
123
124 /* Our PPOINT list now contains 7 moveto commands which
125 are about to be consumed by the Flex mechanism. --> Remove these
126 @@ -2324,6 +2329,7 @@
127 /* Returns currentpoint on stack */
128 static void FlxProc2()
129 {
130 + if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
131 /* Push CurrentPoint on fake PostScript stack */
132 PSFakePush( ppoints[numppoints-1].x);
133 PSFakePush( ppoints[numppoints-1].y);
|
