[114266] trunk/dports/print/freetype

ryandesign at macports.org ryandesign at macports.org
Tue Dec 3 22:04:39 PST 2013 

Revision: 114266
          https://trac.macports.org/changeset/114266
Author:   ryandesign at macports.org
Date:     2013-12-03 22:04:38 -0800 (Tue, 03 Dec 2013)
Log Message:
-----------
freetype: fix crash in TT_Load_Simple_Glyph (#41645)

Modified Paths:
--------------
    trunk/dports/print/freetype/Portfile

Added Paths:
-----------
    trunk/dports/print/freetype/files/patch-TT_Load_Simple_Glyph.diff

Modified: trunk/dports/print/freetype/Portfile
===================================================================
--- trunk/dports/print/freetype/Portfile	2013-12-04 05:21:49 UTC (rev 114265)
+++ trunk/dports/print/freetype/Portfile	2013-12-04 06:04:38 UTC (rev 114266)
@@ -6,6 +6,7 @@
 
 name                    freetype
 version                 2.5.1
+revision                1
 categories              print graphics
 maintainers             ryandesign
 license                 {FreeType GPL-2}
@@ -43,6 +44,7 @@
 
 patchfiles \
     patch-src_base_ftrfork.c.diff \
+    patch-TT_Load_Simple_Glyph.diff \
     patch-modules.cfg.diff
 
 depends_lib             port:bzip2 \

Added: trunk/dports/print/freetype/files/patch-TT_Load_Simple_Glyph.diff
===================================================================
--- trunk/dports/print/freetype/files/patch-TT_Load_Simple_Glyph.diff	                        (rev 0)
+++ trunk/dports/print/freetype/files/patch-TT_Load_Simple_Glyph.diff	2013-12-04 06:04:38 UTC (rev 114266)
@@ -0,0 +1,86 @@
+Fix crash in TT_Load_Simple_Glyph
+https://savannah.nongnu.org/bugs/?40797
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=64872a50165d842d72c520f5f7e19124dbf7822d
+--- ChangeLog.orig	2013-11-24 17:27:44.000000000 -0600
++++ ChangeLog	2013-12-03 23:58:38.000000000 -0600
+@@ -1,3 +1,16 @@
++2013-12-02  Werner Lemberg  <wl at gnu.org>
++
++	[truetype] Fix change from 2013-11-20.
++
++	Problem reported by Akira Kakuto <kakuto at fuk.kindai.ac.jp>.
++
++	* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Protect call to
++	`Update_Max' with both a TT_USE_BYTECODE_INTERPRETER guard and a
++	`IS_HINTED' clause.
++	Also remove redundant check using `maxSizeOfInstructions' – in
++	simple glyphs, the bytecode data comes before the outline data, and
++	a validity test for this is already present.
++
+ 2013-11-25  Werner Lemberg  <wl at gnu.org>
+ 
+ 	* Version 2.5.1 released.
+--- src/truetype/ttgload.c.orig	2013-11-20 14:03:17.000000000 -0600
++++ src/truetype/ttgload.c	2013-12-03 23:54:56.000000000 -0600
+@@ -348,8 +348,7 @@
+     FT_GlyphLoader  gloader    = load->gloader;
+     FT_Int          n_contours = load->n_contours;
+     FT_Outline*     outline;
+-    TT_Face         face       = (TT_Face)load->face;
+-    FT_UShort       n_ins, max_ins;
++    FT_UShort       n_ins;
+     FT_Int          n_points;
+     FT_ULong        tmp;
+ 
+@@ -418,30 +417,6 @@
+     FT_TRACE5(( "  Instructions size: %u\n", n_ins ));
+ 
+     /* check it */
+-    max_ins = face->max_profile.maxSizeOfInstructions;
+-    if ( n_ins > max_ins )
+-    {
+-      /* don't trust `maxSizeOfInstructions'; */
+-      /* only do a rough safety check         */
+-      if ( (FT_Int)n_ins > load->byte_len )
+-      {
+-        FT_TRACE1(( "TT_Load_Simple_Glyph:"
+-                    " too many instructions (%d) for glyph with length %d\n",
+-                    n_ins, load->byte_len ));
+-        return FT_THROW( Too_Many_Hints );
+-      }
+-
+-      tmp = load->exec->glyphSize;
+-      error = Update_Max( load->exec->memory,
+-                          &tmp,
+-                          sizeof ( FT_Byte ),
+-                          (void*)&load->exec->glyphIns,
+-                          n_ins );
+-      load->exec->glyphSize = (FT_UShort)tmp;
+-      if ( error )
+-        return error;
+-    }
+-
+     if ( ( limit - p ) < n_ins )
+     {
+       FT_TRACE0(( "TT_Load_Simple_Glyph: instruction count mismatch\n" ));
+@@ -453,6 +428,20 @@
+ 
+     if ( IS_HINTED( load->load_flags ) )
+     {
++      /* we don't trust `maxSizeOfInstructions' in the `maxp' table */
++      /* and thus update the bytecode array size by ourselves       */
++
++      tmp   = load->exec->glyphSize;
++      error = Update_Max( load->exec->memory,
++                          &tmp,
++                          sizeof ( FT_Byte ),
++                          (void*)&load->exec->glyphIns,
++                          n_ins );
++
++      load->exec->glyphSize = (FT_UShort)tmp;
++      if ( error )
++        return error;
++
+       load->glyph->control_len  = n_ins;
+       load->glyph->control_data = load->exec->glyphIns;
+ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-changes/attachments/20131203/c890a22e/attachment-0001.html>

More information about the macports-changes mailing list