summaryrefslogtreecommitdiff
blob: 216b05abed980058425854d37d0525eea34a912d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
--- xpdf-3.00/fofi/FoFiTrueType.cc	(revision 439182)
+++ xpdf-3.00/fofi/FoFiTrueType.cc	(working copy)
@@ -1343,6 +1343,27 @@
     return;
   }
 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+  }
+
   // read the post table
   readPostTable();
   if (!parsedOk) {
--- xpdf-3.00/xpdf/SplashOutputDev.cc	(revision 439182)
+++ xpdf-3.00/xpdf/SplashOutputDev.cc	(working copy)
@@ -621,16 +621,19 @@
       }
       break;
     case fontTrueType:
-      if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
-	goto err2;
+      if ((ff = FoFiTrueType::load(fileName->getCString()))) {
+	codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+	n = 256;
+	delete ff;
+      } else {
+	codeToGID = NULL;
+	n = 0;
       }
-      codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
-      delete ff;
       if (!(fontFile = fontEngine->loadTrueTypeFont(
 			   id,
 			   fileName->getCString(),
 			   fileName == tmpFileName,
-			   codeToGID, 256))) {
+			   codeToGID, n))) {
 	error(-1, "Couldn't create a font for '%s'",
 	      gfxFont->getName() ? gfxFont->getName()->getCString()
 	                         : "(unnamed)");