[freetype2] master 65681e6: [truetype] Improve VF check.

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 65681e6: [truetype] Improve VF check.

From:	Werner LEMBERG
Subject:	[freetype2] master 65681e6: [truetype] Improve VF check.
Date:	Wed, 12 Sep 2018 01:41:17 -0400 (EDT)

branch: master
commit 65681e6dc1937db57d5905c5dd89e0a306bc0634
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [truetype] Improve VF check.
    
    Triggered by
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255
    
    * src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
    for `tupleCount'.
---
 ChangeLog              | 11 +++++++++++
 src/truetype/ttgxvar.c | 11 +++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ac063f1..6223b23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2018-09-12  Werner Lemberg  <address@hidden>
 
+       [truetype] Improve VF check.
+
+       Triggered by
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255
+
+       * src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
+       for `tupleCount'.
+
+2018-09-12  Werner Lemberg  <address@hidden>
+
        * src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
 
 2018-09-10  Armin Hasitzka  <address@hidden>
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 3a2c540..bb6c684 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3672,6 +3672,7 @@
 
     FT_UInt   tupleCount;
     FT_ULong  offsetToData;
+    FT_ULong  dataSize;
 
     FT_ULong  here;
     FT_UInt   i, j;
@@ -3712,9 +3713,11 @@
          FT_NEW_ARRAY( has_delta, n_points )  )
       goto Fail1;
 
-    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] )   ||
-         FT_FRAME_ENTER( blend->glyphoffsets[glyph_index + 1] -
-                           blend->glyphoffsets[glyph_index] ) )
+    dataSize = blend->glyphoffsets[glyph_index + 1] -
+                 blend->glyphoffsets[glyph_index];
+
+    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) ||
+         FT_FRAME_ENTER( dataSize )                         )
       goto Fail1;
 
     glyph_start = FT_Stream_FTell( stream );
@@ -3731,7 +3734,7 @@
 
     /* rough sanity test */
     if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
-           blend->gvar_size )
+           dataSize )
     {
       FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
                   " invalid glyph variation array header\n" ));

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master 65681e6: [truetype] Improve VF check., Werner LEMBERG <=

Prev by Date: [freetype2] master 53c5e4b: * src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
Next by Date: [freetype2] master 6b53300: [sfnt] Better PS name handling (#54629).
Previous by thread: [freetype2] master 53c5e4b: * src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
Next by thread: [freetype2] master 6b53300: [sfnt] Better PS name handling (#54629).
Index(es):
- Date
- Thread