erkanisik
/
main
kopia lustrzana https://github.com/pisilinux/main.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134
							Author: Jaroslav Škarvada <jskarvad@redhat.com>
Description: Fix more crashes on oversized fonts
Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
Index: b/lib/type1/lines.c
===================================================================
--- a/lib/type1/lines.c	2007-12-23 09:49:42.000000000 -0600
+++ b/lib/type1/lines.c	2012-01-17 14:15:08.000000000 -0600
@@ -67,6 +67,10 @@
 None.
 */
  
+#define  BITS         (sizeof(LONG)*8)
+#define  HIGHTEST(p)  (((p)>>(BITS-2)) != 0)  /* includes sign bit */
+#define  TOOBIG(xy)   ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
+
 /*
 :h2.StepLine() - Produces Run Ends for a Line After Checks
  
@@ -84,6 +88,9 @@
        IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
                                             x1, y1, x2, y2);
  
+      if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
+              abort("Lines this big not supported", 49);
+
        dy = y2 - y1;
  
 /*
Index: b/lib/type1/objects.c
===================================================================
--- a/lib/type1/objects.c	2007-12-23 09:49:42.000000000 -0600
+++ b/lib/type1/objects.c	2012-01-17 14:15:08.000000000 -0600
@@ -1137,12 +1137,13 @@
     "Context:  out of them", /* 46 */
     "MatrixInvert:  can't", /* 47 */
     "xiStub called", /* 48 */
-    "Illegal access type1 abort() message" /* 49 */
+    "Lines this big not supported", /* 49 */
+    "Illegal access type1 abort() message" /* 50 */
   };
 
-  /* no is valid from 1 to 48 */
-  if ( (number<1)||(number>48))
-    number=49;
+  /* no is valid from 1 to 49 */
+  if ( (number<1)||(number>49))
+    number=50;
   return( err_msgs[number-1]);
     
 }
Index: b/lib/type1/type1.c
===================================================================
--- a/lib/type1/type1.c	2012-01-17 14:13:28.000000000 -0600
+++ b/lib/type1/type1.c	2012-01-17 14:19:54.000000000 -0600
@@ -1012,6 +1012,7 @@
   double nextdtana = 0.0;   /* tangent of post-delta against horizontal line */ 
   double nextdtanb = 0.0;   /* tangent of post-delta against vertical line */ 
   
+  if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
  
   /* setup default hinted position */
   ppoints[numppoints-1].ax     = ppoints[numppoints-1].x;
@@ -1289,7 +1290,7 @@
 static int DoRead(CodeP)
   int *CodeP;
 {
-  if (strindex >= CharStringP->len) return(FALSE); /* end of string */
+  if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
   /* We handle the non-documented Adobe convention to use lenIV=-1 to
      suppress charstring encryption. */
   if (blues->lenIV==-1) {
@@ -1700,7 +1701,7 @@
   long pindex = 0;
   
   /* compute hinting for previous segment! */
-  if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
+  if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
 
   /* Allocate a new path point and pre-setup data */
@@ -1729,7 +1730,7 @@
   long pindex = 0;
   
   /* compute hinting for previous point! */
-  if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
+  if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
 
   /* Allocate three new path points and pre-setup data */
@@ -1788,7 +1789,9 @@
   long tmpind;
   double deltax = 0.0;
   double deltay = 0.0;
-  
+ 
+  if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
+ 
   /* If this ClosePath command together with the starting point of this
      path completes to a segment aligned to a stem, we would miss
      hinting for this point. --> Check and explicitly care for this! */
@@ -1803,6 +1806,7 @@
     deltax = ppoints[i].x - ppoints[numppoints-1].x;
     deltay = ppoints[i].y - ppoints[numppoints-1].y;
 
+    if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
     /* save nummppoints and reset to move point */
     tmpind = numppoints;
     numppoints = i + 1;
@@ -1905,7 +1909,7 @@
     FindStems( currx, curry, 0, 0, dx, dy);
   }
   else {
-    if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
+    if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
     FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
   }
   
@@ -2155,6 +2159,7 @@
   DOUBLE cx, cy;
   DOUBLE ex, ey;
 
+  if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
 
   /* Our PPOINT list now contains 7 moveto commands which
      are about to be consumed by the Flex mechanism. --> Remove these
@@ -2324,6 +2329,7 @@
 /*   Returns currentpoint on stack          */
 static void FlxProc2()
 {
+  if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
   /* Push CurrentPoint on fake PostScript stack */
   PSFakePush( ppoints[numppoints-1].x);
   PSFakePush( ppoints[numppoints-1].y);