[gs-cvs] rev 8228 - trunk/gs/lib

Wed Sep 5 00:54:55 PDT 2007

Author: mpsuzuki
Date: 2007-09-05 00:54:54 -0700 (Wed, 05 Sep 2007)
New Revision: 8228

Modified:
   trunk/gs/lib/gs_ttf.ps
Log:
Fix (TT fonts) : Suppress loading trailing data after chosen cmap subtable.

DETAILS:

The current cmap selector/loader tries to load a subtable
for Microsoft platform && UCS2 encoding with anything
in trailer, although only MS+UCS2 subtable is used.
Thus, if the cmap table has several additional subtables
after MS+UCS2 subtable (e.g. multiple 16bit cmap subtable
for Shift-JIS/Big5/GB2312/Wansung/Johab, or very long
32bit subtable in format 8/10/12, or simple junk data),
cmap subtable loader tries to load MS+UCS2 subtable and
trailing garbage, and tries to define /cmaptab for
concatenated string of them. So, rangecheck or limitcheck
error can occur due to too-long string. Typical example
is found in bug 688337 which is caused by TrueType font
including cmap subtable in format 12.

If we restrict the scope to MS+UCS2 subtable, it must
not be greater than 0xFFFF bytes. Because cmap subtable
headers in format 0,2,4,6 define these tables length in
16bit. The cmap parser is fixed to check the subtable
header content and read exact length of chosen subtable,
to exclude trailing garbage.

In addition, /getinterval_from_stringarray has a bug
that appears when the end of requested string just fits
to the gap of member strings. The bug is fixed, too.

By this patch, bug 688337 is fixed.

DIFFERENCE:

None.


Modified: trunk/gs/lib/gs_ttf.ps
===================================================================

--- trunk/gs/lib/gs_ttf.ps	2007-09-03 13:19:11 UTC (rev 8227)
+++ trunk/gs/lib/gs_ttf.ps	2007-09-05 07:54:54 UTC (rev 8228)
@@ -530,7 +530,7 @@
         3 1 roll                                  % s o minl p lSi
         sub                                       % s o minl p'
         3 1 roll add                              % s p' o'
-        dup 3 index length ge {
+        dup 3 index length ge 2 index 0 le or {
           exch exit                               % s o p'
         } if
         exch                                      % s o' p'
@@ -1074,8 +1074,13 @@
           } if
           /cmapsub 1 index def
           dup 4 getu32                                   % bool [] i PlatID SpecID (cmap) (cmapsub) p
-          cmaptab length 1 index sub                     % bool [] i PlatID SpecID (cmap) (cmapsub) p l
-          cmaptab 3 1 roll getinterval
+          cmaptab 1 index getu16a                        %     get cmap format
+          8 lt {                                         %     length for traditional 16bit format 0, 2, 4, 6
+            cmaptab 1 index 2 add getu16a
+          } {                                            %     length for advanced 32bit format 8, 10, 12
+            cmaptab 1 index 4 add getu32a
+          } ifelse                                       % bool [] i PlatID SpecID (cmap) (cmapsub) p l
+          cmaptab 3 1 roll getinterval_from_stringarray
           /cmaptab exch def                              % bool [] i PlatID SpecID (cmap) (cmapsub)
           5 index 5 index 1 add get                      % bool [] i PlatID SpecID (cmap) (cmapsub) /Decoding
           /Decoding exch def                             % bool [] i PlatID SpecID (cmap) (cmapsub)

