/* */
/* TrueType GX Font Variation loader */
/* */
-/* Copyright 2004, 2005, 2006, 2007 by */
+/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
/* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */
/* */
/* This file is part of the FreeType project, and may only be used, */
/***************************************************************************/
-/***************************************************************************/
-/* */
-/* Apple documents the `fvar', `gvar', `cvar', and `avar' tables at */
-/* */
-/* http://developer.apple.com/fonts/TTRefMan/RM06/Chap6[fgca]var.html */
-/* */
-/* The documentation for `fvar' is inconsistent. At one point it says */
-/* that `countSizePairs' should be 3, at another point 2. It should be 2. */
-/* */
-/* The documentation for `gvar' is not intelligible; `cvar' refers you to */
-/* `gvar' and is thus also incomprehensible. */
-/* */
-/* The documentation for `avar' appears correct, but Apple has no fonts */
-/* with an `avar' table, so it is hard to test. */
-/* */
-/* Many thanks to John Jenkins (at Apple) in figuring this out. */
-/* */
-/* */
-/* Apple's `kern' table has some references to tuple indices, but as there */
-/* is no indication where these indices are defined, nor how to */
-/* interpolate the kerning values (different tuples have different */
-/* classes) this issue is ignored. */
-/* */
-/***************************************************************************/
+ /*************************************************************************/
+ /* */
+ /* Apple documents the `fvar', `gvar', `cvar', and `avar' tables at */
+ /* */
+ /* http://developer.apple.com/fonts/TTRefMan/RM06/Chap6[fgca]var.html */
+ /* */
+ /* The documentation for `fvar' is inconsistent. At one point it says */
+ /* that `countSizePairs' should be 3, at another point 2. It should */
+ /* be 2. */
+ /* */
+ /* The documentation for `gvar' is not intelligible; `cvar' refers you */
+ /* to `gvar' and is thus also incomprehensible. */
+ /* */
+ /* The documentation for `avar' appears correct, but Apple has no fonts */
+ /* with an `avar' table, so it is hard to test. */
+ /* */
+ /* Many thanks to John Jenkins (at Apple) in figuring this out. */
+ /* */
+ /* */
+ /* Apple's `kern' table has some references to tuple indices, but as */
+ /* there is no indication where these indices are defined, nor how to */
+ /* interpolate the kerning values (different tuples have different */
+ /* classes) this issue is ignored. */
+ /* */
+ /*************************************************************************/
#include <ft2build.h>
#include FT_CONFIG_CONFIG_H
#include FT_INTERNAL_STREAM_H
#include FT_INTERNAL_SFNT_H
-#include FT_TRUETYPE_IDS_H
#include FT_TRUETYPE_TAGS_H
#include FT_MULTIPLE_MASTERS_H
-#include "ttdriver.h"
#include "ttpload.h"
#include "ttgxvar.h"
#define ALL_POINTS (FT_UShort*)( -1 )
- enum
- {
- GX_PT_POINTS_ARE_WORDS = 0x80,
- GX_PT_POINT_RUN_COUNT_MASK = 0x7F
- };
+#define GX_PT_POINTS_ARE_WORDS 0x80
+#define GX_PT_POINT_RUN_COUNT_MASK 0x7F
/*************************************************************************/
FT_Int j;
FT_Int first;
FT_Memory memory = stream->memory;
- FT_Error error = TT_Err_Ok;
+ FT_Error error = TT_Err_Ok;
FT_UNUSED( error );
runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
first = points[i++] = FT_GET_USHORT();
+ if ( runcnt < 1 || i + runcnt >= n )
+ goto Exit;
+
/* first point not included in runcount */
for ( j = 0; j < runcnt; ++j )
points[i++] = (FT_UShort)( first += FT_GET_USHORT() );
{
first = points[i++] = FT_GET_BYTE();
+ if ( runcnt < 1 || i + runcnt >= n )
+ goto Exit;
+
for ( j = 0; j < runcnt; ++j )
points[i++] = (FT_UShort)( first += FT_GET_BYTE() );
}
}
+ Exit:
return points;
}
/* */
static FT_Short*
ft_var_readpackeddeltas( FT_Stream stream,
- FT_Int delta_cnt )
+ FT_Offset delta_cnt )
{
- FT_Short *deltas;
- FT_Int runcnt;
- FT_Int i;
- FT_Int j;
+ FT_Short *deltas = NULL;
+ FT_UInt runcnt;
+ FT_Offset i;
+ FT_UInt j;
FT_Memory memory = stream->memory;
- FT_Error error = TT_Err_Ok;
+ FT_Error error = TT_Err_Ok;
FT_UNUSED( error );
}
- typedef struct GX_GVar_Head_ {
+ typedef struct GX_GVar_Head_
+ {
FT_Long version;
FT_UShort axisCount;
FT_UShort globalCoordCount;
/*************************************************************************/
- typedef struct GX_FVar_Head_ {
+ typedef struct GX_FVar_Head_
+ {
FT_Long version;
FT_UShort offsetToData;
FT_UShort countSizePairs;
} GX_FVar_Head;
- typedef struct fvar_axis {
+ typedef struct fvar_axis_
+ {
FT_ULong axisTag;
FT_ULong minValue;
FT_ULong defaultValue;
if ( fvar_head.version != (FT_Long)0x00010000L ||
fvar_head.countSizePairs != 2 ||
fvar_head.axisSize != 20 ||
+ /* axisCount limit implied by 16-bit instanceSize */
+ fvar_head.axisCount > 0x3FFE ||
fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount ||
+ /* instanceCount limit implied by limited range of name IDs */
+ fvar_head.instanceCount > 0x7EFF ||
fvar_head.offsetToData + fvar_head.axisCount * 20U +
fvar_head.instanceCount * fvar_head.instanceSize > table_len )
{
if ( FT_NEW( face->blend ) )
goto Exit;
- /* XXX: TODO - check for overflows */
+ /* cannot overflow 32-bit arithmetic because of limits above */
face->blend->mmvar_len =
sizeof ( FT_MM_Var ) +
fvar_head.axisCount * sizeof ( FT_Var_Axis ) +
}
ns = mmvar->namedstyle;
- for ( i = 0; i < fvar_head.instanceCount; ++i )
+ for ( i = 0; i < fvar_head.instanceCount; ++i, ++ns )
{
if ( FT_FRAME_ENTER( 4L + 4L * fvar_head.axisCount ) )
goto Exit;
}
else
{
- for ( i = 0;
- i < num_coords && blend->normalizedcoords[i] == coords[i];
- ++i );
- if ( i == num_coords )
- manageCvt = mcvt_retain;
- else
+ manageCvt = mcvt_retain;
+ for ( i = 0; i < num_coords; ++i )
+ {
+ if ( blend->normalizedcoords[i] != coords[i] )
+ {
manageCvt = mcvt_load;
+ break;
+ }
+ }
/* If we don't change the blend coords then we don't need to do */
/* anything to the cvt table. It will be correct. Otherwise we */
if ( blend == NULL )
{
- FT_TRACE2(( "no blend specified!\n" ));
+ FT_TRACE2(( "tt_face_vary_cvt: no blend specified\n" ));
error = TT_Err_Ok;
goto Exit;
if ( face->cvt == NULL )
{
- FT_TRACE2(( "no `cvt ' table!\n" ));
+ FT_TRACE2(( "tt_face_vary_cvt: no `cvt ' table\n" ));
error = TT_Err_Ok;
goto Exit;
error = face->goto_table( face, TTAG_cvar, stream, &table_len );
if ( error )
{
- FT_TRACE2(( "is missing!\n" ));
+ FT_TRACE2(( "is missing\n" ));
error = TT_Err_Ok;
goto Exit;
table_start = FT_Stream_FTell( stream );
if ( FT_GET_LONG() != 0x00010000L )
{
- FT_TRACE2(( "bad table version!\n" ));
+ FT_TRACE2(( "bad table version\n" ));
error = TT_Err_Ok;
goto FExit;
projects / reactos.git / blobdiff