[Devel] bug in cffload.c

freetype-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Devel] bug in cffload.c

From:	Garrick Meeker
Subject:	[Devel] bug in cffload.c
Date:	Thu, 22 Jan 2004 08:06:05 -0800
User-agent:	KMail/1.6

My code tries to find all the faces in a file by calling FT_New_Face and 
incrementing face_index until an error is returned.

However cff fonts will crash if the index is too big.  In cffload.c the 
following code tries to free an uninitialized pointer:

    error = cff_index_access_element( idx, font_index, &dict, &dict_len ) ||
            cff_parser_run( &parser, dict, dict + dict_len );

    cff_index_forget_element( idx, &dict );

    if ( error )
      goto Exit;

cff_index_access_element returns an error without initializing 'dict'.  I 
fixed the problem by initializing 'dict' at line 1975:

    FT_Byte*         dict = NULL;

I think you could also check for an error immediately after 
cff_index_forget_element.

[Prev in Thread]

Current Thread

[Next in Thread]

[Devel] bug in cffload.c, Garrick Meeker <=
- Re: [Devel] bug in cffload.c, Werner LEMBERG, 2004/01/24

Prev by Date: [Devel] How to access Font Family collection
Next by Date: Re: [Devel] Freetype2 patch on Mac
Previous by thread: [Devel] How to access Font Family collection
Next by thread: Re: [Devel] bug in cffload.c
Index(es):
- Date
- Thread