[cairo-commit] 2 commits - src/cairo-output-stream.c src/cairo-truetype-subset.c

[Adrian Johnson]

 src/cairo-output-stream.c   |   10 +++++++---
 src/cairo-truetype-subset.c |   16 ++++++++++++++--
 2 files changed, 21 insertions(+), 5 deletions(-)

New commits:
commit bb10bd10138a262759b37281135b5199e334f392
Author: Adrian Johnson <ajohnson at redneon.com>
Date:   Fri Oct 13 19:44:45 2017 +1030

    truetype: limit font name to 127 chars
    
    Some broken fonts have long strings of garbage in the font name
    
    https://bugs.freedesktop.org/show_bug.cgi?id=103249

diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
index e934689a..cbf85fa1 100644
--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
@@ -1431,6 +1431,12 @@ cleanup:
     return status;
 }
 
+/*
+ * Sanity check on font name length as some broken fonts may return very long
+ * strings of garbage. 127 is maximum length of a PS name.
+ */
+#define MAX_FONT_NAME_LENGTH 127
+
 static cairo_status_t
 find_name (tt_name_t *name, int name_id, int platform, int encoding, int language, char **str_out)
 {
@@ -1449,11 +1455,17 @@ find_name (tt_name_t *name, int name_id, int platform, int encoding, int languag
             be16_to_cpu (record->encoding) == encoding &&
 	    (language == -1 || be16_to_cpu (record->language) == language)) {
 
-	    str = malloc (be16_to_cpu (record->length) + 1);
+	    len = be16_to_cpu (record->length);
+	    if (platform == 3 && len > MAX_FONT_NAME_LENGTH*2) /* UTF-16 name */
+		break;
+
+	    if (len > MAX_FONT_NAME_LENGTH)
+		break;
+
+	    str = malloc (len + 1);
 	    if (str == NULL)
 		return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
-	    len = be16_to_cpu (record->length);
 	    memcpy (str,
 		    ((char*)name) + be16_to_cpu (name->strings_offset) + be16_to_cpu (record->offset),
 		    len);
commit 202a9ed64e3d164307defddb41a9f8cf9e9b751b
Author: Adrian Johnson <ajohnson at redneon.com>
Date:   Fri Oct 13 19:27:03 2017 +1030

    output-stream: allow %s strings larger than 512 chars
    
    https://bugs.freedesktop.org/show_bug.cgi?id=103249

diff --git a/src/cairo-output-stream.c b/src/cairo-output-stream.c
index 76d718aa..f43f212e 100644
--- a/src/cairo-output-stream.c
+++ b/src/cairo-output-stream.c
@@ -490,9 +490,13 @@ _cairo_output_stream_vprintf (cairo_output_stream_t *stream,
                           single_fmt, va_arg (ap, long int));
             }
 	    break;
-	case 's':
-	    snprintf (buffer, sizeof buffer,
-		      single_fmt, va_arg (ap, const char *));
+	case 's': {
+	    /* Write out strings as they may be larger than the buffer. */
+	    const char *s = va_arg (ap, const char *);
+	    int len = strlen(s);
+	    _cairo_output_stream_write (stream, s, len);
+	    buffer[0] = 0;
+	    }
 	    break;
 	case 'f':
 	    _cairo_dtostr (buffer, sizeof buffer, va_arg (ap, double), FALSE);