Author: tkreuzer Date: Thu May 5 15:45:08 2011 New Revision: 51590
URL: http://svn.reactos.org/svn/reactos?rev=51590&view=rev Log: [GDI FONT DRIVER] - Fix buffer overflow checks in FtfdQueryTrueTypeTable and return the correct value - Implement FtfdGetTrueTypeFile
Modified: branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/font.c branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/todo.txt
Modified: branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/font.c URL: http://svn.reactos.org/svn/reactos/branches/GSoC_2011/GdiFontDriver/drivers/... ============================================================================== --- branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/font.c [iso-8859-1] (original) +++ branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/font.c [iso-8859-1] Thu May 5 15:45:08 2011 @@ -697,11 +697,10 @@ ULONG *pcjTable) { PFTFD_FILE pfile = (PFTFD_FILE)diFile; - PBYTE pjTable, pjData; + PBYTE pjTable; ULONG cjTable;
DbgPrint("FtfdQueryTrueTypeTable\n"); - __debugbreak();
/* Check if this file supports TrueType tables */ if (pfile->ulFileFormat != FILEFMT_TTF && @@ -710,6 +709,8 @@ DbgPrint("File format doesn't support true type tables\n"); return FD_ERROR; } + + // FIXME: handle ulFont
/* Check if the whole file is requested */ if (ulTag == 0) @@ -729,29 +730,32 @@ } }
- // FIXME: handle ulFont - - /* Check for overflow and if the offset and size fit into the view */ - pjData = pjTable + dpStart; - if ( (pjData < pjTable) || (pjData + cjBuf < pjData) || - (pjData + cjBuf > (PBYTE)pfile->pvView + pfile->cjView) ) - { - DbgPrint("Overflow: dpStart=0x%lx, cjBuf=0x%lx\n", dpStart, cjBuf); - return FD_ERROR; - } - - /* Check if we shall copy data */ - if (pjBuf) - { - /* Copy the data to the buffer */ - RtlCopyMemory(pjBuf, pjTable + dpStart, cjBuf); - } - /* Return requested pointers */ if (ppjTable) *ppjTable = pjTable; if (pcjTable) *pcjTable = cjTable;
- return FD_ERROR; + + /* Check if we shall copy data */ + if (pjBuf) + { + /* Check if the offset is inside the table */ + if (dpStart < 0 || (ULONG_PTR)dpStart >= cjTable) + { + DbgPrint("dpStart outside the table: %p\n", dpStart); + return FD_ERROR; + } + + /* Don't copy beyond the table end */ + cjTable -= dpStart; + + /* Don't copy more then the buffer can hold */ + if (cjBuf < cjTable) cjTable = cjBuf; + + /* Copy the data to the buffer */ + RtlCopyMemory(pjBuf, pjTable + dpStart, cjTable); + } + + return cjTable; }
PVOID @@ -760,9 +764,21 @@ ULONG_PTR diFile, ULONG *pcj) { + PFTFD_FILE pfile = (PFTFD_FILE)diFile; + DbgPrint("FtfdGetTrueTypeFile\n"); - __debugbreak(); - return 0; + + /* Check if this file is TrueType */ + if (pfile->ulFileFormat != FILEFMT_TTF && + pfile->ulFileFormat != FILEFMT_OTF) + { + DbgPrint("File format is not TrueType or Opentype\n"); + return NULL; + } + + /* Return the pointer and size */ + if (pcj) *pcj = pfile->cjView; + return pfile->pvView; }
#if 0 // not needed atm
Modified: branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/todo.txt URL: http://svn.reactos.org/svn/reactos/branches/GSoC_2011/GdiFontDriver/drivers/... ============================================================================== --- branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/todo.txt [iso-8859-1] (original) +++ branches/GSoC_2011/GdiFontDriver/drivers/video/font/ftfd/todo.txt [iso-8859-1] Thu May 5 15:45:08 2011 @@ -15,7 +15,7 @@ - implement QFF_DESCRIPTION, unimportant - FtfdQueryFontCaps: 100% done - FtfdQueryTrueTypeTable: 100% done -- FtfdGetTrueTypeFile: unimplemented +- FtfdGetTrueTypeFile: 100% done
- FtfdQueryFontData: 10%, depends on FtfdLoadGlyph - QFD_MAXEXTENTS: dependes on FtfdQueryMaxExtents