[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft-devel] subrs length checking
|
From: |
Werner LEMBERG |
|
Subject: |
Re: [ft-devel] subrs length checking |
|
Date: |
Sat, 10 May 2008 06:57:13 +0200 (CEST) |
> I have a Type1 font which used to work in older versions of FreeType
> but fails to open in the latest version.
>
> The problem is with checking the Subrs array. There is only one
> entry in the array, and it has a binary length of 4. The font also
> has lenIV set to 4, so in effect the Subr contains no data.
>
> The problem is that the latest version of t1load.c checks the binary
> size (line 1400)
>
> if ( size <= face->type1.private_dict.lenIV )
> {
> error = T1_Err_Invalid_File_Format;
> goto Fail;
> }
>
> In this case size and lenIV are both 4.
>
> Technically the font isn't completely correct, I think a Subr must
> at least have a return,
Exactly.
> but it has always worked in the past (probably the Subr is never
> called). Is it sensible to cover this as a special case by relaxing
> the check to be < rather than <= ?
I introduced this as a security check; malformed Type 1 fonts can
crash FreeType otherwise. Looking at the code lines which follow I
think `<=' is necessary. However, it's probably possible to relax the
error so that it becomes a warning (this is, just ignoring the Subr).
Can you send me the offending font for further investigation?
Werner