[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Devel] bug in cffload.c
From: |
Garrick Meeker |
Subject: |
[Devel] bug in cffload.c |
Date: |
Thu, 22 Jan 2004 08:06:05 -0800 |
User-agent: |
KMail/1.6 |
My code tries to find all the faces in a file by calling FT_New_Face and
incrementing face_index until an error is returned.
However cff fonts will crash if the index is too big. In cffload.c the
following code tries to free an uninitialized pointer:
error = cff_index_access_element( idx, font_index, &dict, &dict_len ) ||
cff_parser_run( &parser, dict, dict + dict_len );
cff_index_forget_element( idx, &dict );
if ( error )
goto Exit;
cff_index_access_element returns an error without initializing 'dict'. I
fixed the problem by initializing 'dict' at line 1975:
FT_Byte* dict = NULL;
I think you could also check for an error immediately after
cff_index_forget_element.
- [Devel] bug in cffload.c,
Garrick Meeker <=