File source-dvipng.dif of Package texlive
--- texk/dvipng/draw.c
+++ texk/dvipng/draw.c 2010-04-15 09:42:58.183424840 +0000
@@ -99,7 +99,16 @@ dviunits SetChar(int32_t c)
if (currentfont==NULL)
Fatal("faulty DVI, trying to set character from null font");
- ptr = currentfont->chr[c];
+
+ if (c<0 || c>LASTFNTCHAR) {
+ Warning("glyph index out of range (%d), skipping",c);
+ return(0);
+ }
+ ptr=currentfont->chr[c];
+ if (ptr==NULL) {
+ Warning("unable to draw glyph %d, skipping",c);
+ return(0);
+ }
#ifdef DEBUG
switch (currentfont->type) {
case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n VF CHAR:\t")); break;
@@ -108,13 +117,13 @@ dviunits SetChar(int32_t c)
case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n FT CHAR:\t")); break;
default: DEBUG_PRINT(DEBUG_DVI,("\n NO CHAR:\t"))
}
- if (isprint(c))
+ if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,hh,vv,ptr?ptr->tfmw:0));
#endif
if (currentfont->type==FONT_TYPE_VF) {
- return(SetVF(c));
- } else if (ptr) {
+ return(SetVF(ptr));
+ } else {
if (ptr->data == NULL)
switch(currentfont->type) {
case FONT_TYPE_PK: LoadPK(c, ptr); break;
@@ -128,7 +137,7 @@ dviunits SetChar(int32_t c)
Fatal("undefined fonttype %d",currentfont->type);
}
if (page_imagep != NULL)
- return(SetGlyph(c, hh, vv));
+ return(SetGlyph(ptr, hh, vv));
else {
/* Expand bounding box if necessary */
min(x_min,hh - ptr->xOffset/shrinkfactor);
--- texk/dvipng/dvipng.h
+++ texk/dvipng/dvipng.h 2010-03-18 07:43:26.000000000 +0000
@@ -387,9 +387,9 @@ void DrawPages(void);
void WriteImage(char*, int);
void LoadPK(int32_t, register struct char_entry *);
int32_t SetChar(int32_t);
-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv);
+dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
void Gamma(double gamma);
-int32_t SetVF(int32_t);
+int32_t SetVF(struct char_entry *ptr);
int32_t SetRule(int32_t, int32_t, int32_t, int32_t);
void SetSpecial(char *, int32_t, int32_t, int32_t);
void BeginVFMacro(struct font_entry*);
--- texk/dvipng/set.c
+++ texk/dvipng/set.c 2010-04-15 09:38:23.134925288 +0000
@@ -202,10 +202,9 @@ void Gamma(double gamma)
}
}
-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
+dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv)
/* gdImageChar can only do monochrome glyphs */
{
- register struct char_entry *ptr = currentfont->chr[c];
int dst_alpha,dst_weight,tot_weight,alpha;
int x,y,pos=0;
int bgColor,pixelgrey,pixelcolor;
--- texk/dvipng/vf.c
+++ texk/dvipng/vf.c 2010-04-15 09:39:21.691425023 +0000
@@ -28,11 +28,10 @@
#define VF_ID 202
#define LONG_CHAR 242
-int32_t SetVF(int32_t c)
+int32_t SetVF(struct char_entry* ptr)
{
struct font_entry* currentvf;
unsigned char *command,*end;
- struct char_entry* ptr=currentfont->chr[c];
currentvf=currentfont;
BeginVFMacro(currentvf);
@@ -117,7 +116,7 @@ void InitVF(struct font_entry * tfontp)
tcharptr->tfmw = (int32_t)
((int64_t) tcharptr->tfmw * tfontp->s / (1 << 20));
DEBUG_PRINT(DEBUG_VF,(" (%d)",tcharptr->tfmw));
- if (c > NFNTCHARS) /* Only positive for now */
+ if (c < 0 || c >= NFNTCHARS) /* Only positive for now */
Fatal("VF font %s exceeds char numbering limit",tfontp->name);
tfontp->chr[c] = tcharptr;
tcharptr->data=position;
--- texk/dvipsk/dospecial.c
+++ texk/dvipsk/dospecial.c 2010-04-29 14:30:10.000000000 +0000
@@ -325,7 +325,11 @@ void predospecial P2C(integer, numbytes,
int j ;
static int omega_specials = 0;
- if (nextstring + numbytes > maxstring) {
+ if (numbytes < 0 || numbytes > maxstring - nextstring) {
+ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
+ error("! Integer overflow in predospecial");
+ exit(1);
+ }
p = nextstring = mymalloc(1000 + 2 * numbytes) ;
maxstring = nextstring + 2 * numbytes + 700 ;
}
@@ -903,7 +907,11 @@ float *bbdospecial P1C(int, nbytes)
char seen[NKEYS] ;
float valseen[NKEYS] ;
- if (nextstring + nbytes > maxstring) {
+ if (nbytes < 0 || nbytes > maxstring - nextstring) {
+ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
+ error("! Integer overflow in bbdospecial");
+ exit(1);
+ }
p = nextstring = mymalloc(1000 + 2 * nbytes) ;
maxstring = nextstring + 2 * nbytes + 700 ;
}
--- texk/dvipsk/virtualfont.c
+++ texk/dvipsk/virtualfont.c 2010-04-15 09:32:17.242926052 +0000
@@ -2,6 +2,8 @@
* Here's the code to load a VF file into memory.
* Any resemblance between this file and loadfont.c is purely uncoincidental.
*/
+#include <limits.h>
+#include <stdio.h>
#include "dvips.h" /* The copyright notice in that file is included too! */
#ifdef KPATHSEA
#include <kpathsea/c-pathmx.h>
@@ -21,7 +23,7 @@ extern quarterword *raster ;
#ifndef KPATHSEA
extern char *vfpath ;
#endif
-extern char errbuf[200] ;
+extern char errbuf[LINE_MAX] ;
extern real conv ;
extern real vconv ;
extern real alpha ;
@@ -36,11 +38,11 @@ extern Boolean noomega ;
* Subroutine vfbyte returns the next byte.
*/
static FILE *vffile ;
-static char name[50] ;
+static char name[PATH_MAX] ;
void
badvf P1C(char *, s)
{
- (void)sprintf(errbuf,"! Bad VF file %s: %s",name,s) ;
+ (void)snprintf(errbuf, sizeof(errbuf), "! Bad VF file %s: %s",name,s) ;
error(errbuf);
}
@@ -94,9 +96,9 @@ vfopen P1C(register fontdesctype *, fd)
d = vfpath ;
#endif
#ifdef MVSXA /* IBM: MVS/XA */
- (void)sprintf(name, "vf(%s)", n) ;
+ (void)snprintf(name, sizeof(name), "vf(%s)", n) ;
#else
- (void)sprintf(name, "%s.vf", n) ;
+ (void)snprintf(name, sizeof(name), "%s.vf", n) ;
#endif
#ifdef KPATHSEA
if (0 != (vffile=search(vfpath, name, READBIN)))
@@ -212,7 +214,7 @@ virtualfont P1C(register fontdesctype *,
check_checksum (k, curfnt->checksum, curfnt->name);
k = (integer)(alpha * (real)vfquad()) ;
if (k > curfnt->designsize + 2 || k < curfnt->designsize - 2) {
- (void)sprintf(errbuf,"Design size mismatch in font %s", name) ;
+ (void)snprintf(errbuf, sizeof(errbuf), "Design size mismatch in font %s", name) ;
error(errbuf) ;
}
/*
