... |
... |
@@ -264,55 +264,80 @@ |
264
|
264
|
FT_Fixed *deltas = NULL;
|
265
|
265
|
FT_UInt runcnt, cnt;
|
266
|
266
|
FT_UInt i, j;
|
|
267
|
+ FT_UInt bytes_used;
|
267
|
268
|
FT_Memory memory = stream->memory;
|
268
|
269
|
FT_Error error = FT_Err_Ok;
|
269
|
270
|
|
270
|
271
|
FT_UNUSED( error );
|
271
|
272
|
|
272
|
273
|
|
273
|
|
- if ( delta_cnt > size )
|
274
|
|
- {
|
275
|
|
- FT_TRACE1(( "ft_var_readpackeddeltas: number of points too large\n" ));
|
276
|
|
- return NULL;
|
277
|
|
- }
|
278
|
|
-
|
279
|
274
|
if ( FT_NEW_ARRAY( deltas, delta_cnt ) )
|
280
|
275
|
return NULL;
|
281
|
276
|
|
282
|
|
- i = 0;
|
283
|
|
- while ( i < delta_cnt )
|
|
277
|
+ i = 0;
|
|
278
|
+ bytes_used = 0;
|
|
279
|
+
|
|
280
|
+ while ( i < delta_cnt && bytes_used < size )
|
284
|
281
|
{
|
285
|
282
|
runcnt = FT_GET_BYTE();
|
286
|
283
|
cnt = runcnt & GX_DT_DELTA_RUN_COUNT_MASK;
|
287
|
284
|
|
|
285
|
+ bytes_used++;
|
|
286
|
+
|
288
|
287
|
if ( runcnt & GX_DT_DELTAS_ARE_ZERO )
|
289
|
288
|
{
|
290
|
|
- /* `runcnt' zeroes get added */
|
|
289
|
+ /* `cnt` + 1 zeroes get added */
|
291
|
290
|
for ( j = 0; j <= cnt && i < delta_cnt; j++ )
|
292
|
291
|
deltas[i++] = 0;
|
293
|
292
|
}
|
294
|
293
|
else if ( runcnt & GX_DT_DELTAS_ARE_WORDS )
|
295
|
294
|
{
|
296
|
|
- /* `runcnt' shorts from the stack */
|
|
295
|
+ /* `cnt` + 1 shorts from the stack */
|
|
296
|
+ bytes_used += 2 * ( cnt + 1 );
|
|
297
|
+ if ( bytes_used > size )
|
|
298
|
+ {
|
|
299
|
+ FT_TRACE1(( "ft_var_readpackeddeltas:"
|
|
300
|
+ " number of short deltas too large\n" ));
|
|
301
|
+ goto Fail;
|
|
302
|
+ }
|
|
303
|
+
|
297
|
304
|
for ( j = 0; j <= cnt && i < delta_cnt; j++ )
|
298
|
305
|
deltas[i++] = FT_intToFixed( FT_GET_SHORT() );
|
299
|
306
|
}
|
300
|
307
|
else
|
301
|
308
|
{
|
302
|
|
- /* `runcnt' signed bytes from the stack */
|
|
309
|
+ /* `cnt` + 1 signed bytes from the stack */
|
|
310
|
+ bytes_used += cnt + 1;
|
|
311
|
+ if ( bytes_used > size )
|
|
312
|
+ {
|
|
313
|
+ FT_TRACE1(( "ft_var_readpackeddeltas:"
|
|
314
|
+ " number of byte deltas too large\n" ));
|
|
315
|
+ goto Fail;
|
|
316
|
+ }
|
|
317
|
+
|
303
|
318
|
for ( j = 0; j <= cnt && i < delta_cnt; j++ )
|
304
|
319
|
deltas[i++] = FT_intToFixed( FT_GET_CHAR() );
|
305
|
320
|
}
|
306
|
321
|
|
307
|
322
|
if ( j <= cnt )
|
308
|
323
|
{
|
309
|
|
- /* bad format */
|
310
|
|
- FT_FREE( deltas );
|
311
|
|
- return NULL;
|
|
324
|
+ FT_TRACE1(( "ft_var_readpackeddeltas:"
|
|
325
|
+ " number of deltas too large\n" ));
|
|
326
|
+ goto Fail;
|
312
|
327
|
}
|
313
|
328
|
}
|
314
|
329
|
|
|
330
|
+ if ( i < delta_cnt )
|
|
331
|
+ {
|
|
332
|
+ FT_TRACE1(( "ft_var_readpackeddeltas: not enough deltas\n" ));
|
|
333
|
+ goto Fail;
|
|
334
|
+ }
|
|
335
|
+
|
315
|
336
|
return deltas;
|
|
337
|
+
|
|
338
|
+ Fail:
|
|
339
|
+ FT_FREE( deltas );
|
|
340
|
+ return NULL;
|
316
|
341
|
}
|
317
|
342
|
|
318
|
343
|
|