freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 10e54d0: [truetype] Some fixes for VF checks.

From: Werner LEMBERG
Subject: [freetype2] master 10e54d0: [truetype] Some fixes for VF checks.
Date: Thu, 13 Sep 2018 15:48:07 -0400 (EDT) 
branch: master
commit 10e54d04b975cf8a879b18ed0383bb4be8b1a7d5
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [truetype] Some fixes for VF checks.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10317
    
    * src/truetype/ttgxvar.c (ft_var_load_gvar): Properly exit memory
    frame if we have invalid glyph variation data offsets.
    (tt_face_vary_cvt): Protect against missing `tuplecoords' array.
    Fix typo.
---
 ChangeLog              | 13 +++++++++++++
 src/truetype/ttgxvar.c | 25 ++++++++++++++++++-------
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 004fc4b..be013e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,18 @@
 2018-09-13  Werner Lemberg  <address@hidden>
 
+       [truetype] Some fixes for VF checks.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10317
+
+       * src/truetype/ttgxvar.c (ft_var_load_gvar): Properly exit memory
+       frame if we have invalid glyph variation data offsets.
+       (tt_face_vary_cvt): Protect against missing `tuplecoords' array.
+       Fix typo.
+
+2018-09-13  Werner Lemberg  <address@hidden>
+
        * src/sfnt/sfdriver.c (sfnt_get_var_ps_name): Fix last commit.
 
 2018-09-13  Werner Lemberg  <address@hidden>
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index bb6c684..9f41d0e 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1548,11 +1548,9 @@
                       " invalid glyph variation data offset for index %d\n",
                       i ));
           error = FT_THROW( Invalid_Table );
-          goto Exit;
+          break;
         }
       }
-
-      FT_FRAME_EXIT();
     }
     else
     {
@@ -1573,13 +1571,15 @@
                       " invalid glyph variation data offset for index %d\n",
                       i ));
           error = FT_THROW( Invalid_Table );
-          goto Exit;
+          break;
         }
       }
-
-      FT_FRAME_EXIT();
     }
 
+    FT_FRAME_EXIT();
+    if ( error )
+      goto Exit;
+
     if ( blend->tuplecount != 0 )
     {
       if ( FT_NEW_ARRAY( blend->tuplecoords,
@@ -3263,13 +3263,24 @@
                     " invalid tuple index\n" ));
 
         error = FT_THROW( Invalid_Table );
-        goto Exit;
+        goto FExit;
       }
       else
+      {
+        if ( !blend->tuplecoords )
+        {
+          FT_TRACE2(( "tt_face_vary_cvt:"
+                      " no valid tuple coordinates available\n" ));
+
+          error = FT_THROW( Invalid_Table );
+          goto FExit;
+        }
+
         FT_MEM_COPY(
           tuple_coords,
           &blend->tuplecoords[( tupleIndex & 0xFFF ) * blend->num_axis],
           blend->num_axis * sizeof ( FT_Fixed ) );
+      }
 
       if ( tupleIndex & GX_TI_INTERMEDIATE_TUPLE )
       {
reply via email to
[Prev in Thread] Current Thread [Next in Thread]