[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 9c54d12: [psaux] Fix handling of invalid flex subrs.
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 9c54d12: [psaux] Fix handling of invalid flex subrs. |
|
Date: |
Tue, 11 Oct 2016 06:58:28 +0000 (UTC) |
branch: master
commit 9c54d1246abc7172f1e0ca88b786c3b6e32d000b
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
[psaux] Fix handling of invalid flex subrs.
Problem reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
<op_callothersubr>: Set `flex_state' after error checking.
---
ChangeLog | 11 +++++++++++
src/psaux/t1decode.c | 25 +++++++++++++------------
2 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index c11716f..dc4232f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2016-10-11 Werner Lemberg <address@hidden>
+ [psaux] Fix handling of invalid flex subrs.
+
+ Problem reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52
+
+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+ <op_callothersubr>: Set `flex_state' after error checking.
+
+2016-10-11 Werner Lemberg <address@hidden>
+
* src/truetype/ttgxvar.c (tt_done_blend): Fix deallocation.
2016-10-08 Werner Lemberg <address@hidden>
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index 4a32b82..119b80f 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -734,7 +734,7 @@
if ( arg_cnt != 3 )
goto Unexpected_OtherSubr;
- if ( decoder->flex_state == 0 ||
+ if ( !decoder->flex_state ||
decoder->num_flex_vectors != 7 )
{
FT_ERROR(( "t1_decoder_parse_charstrings:"
@@ -752,13 +752,14 @@
if ( arg_cnt != 0 )
goto Unexpected_OtherSubr;
- decoder->flex_state = 1;
- decoder->num_flex_vectors = 0;
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 6 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
+
+ decoder->flex_state = 1;
+ decoder->num_flex_vectors = 0;
break;
case 2: /* add flex vectors */
@@ -769,7 +770,7 @@
if ( arg_cnt != 0 )
goto Unexpected_OtherSubr;
- if ( decoder->flex_state == 0 )
+ if ( !decoder->flex_state )
{
FT_ERROR(( "t1_decoder_parse_charstrings:"
" missing flex start\n" ));
@@ -1222,9 +1223,9 @@
FT_TRACE4(( " hvcurveto" ));
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 3 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
x += top[0];
@@ -1269,9 +1270,9 @@
FT_TRACE4(( " rrcurveto" ));
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 3 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
x += top[0];
@@ -1291,9 +1292,9 @@
FT_TRACE4(( " vhcurveto" ));
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 3 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
y += top[0];
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 9c54d12: [psaux] Fix handling of invalid flex subrs.,
Werner LEMBERG <=