[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 839a023: * src/sfnt/sfwoff2.c (reconstruct_font): Fix
|
From: |
Werner LEMBERG |
|
Subject: |
[freetype2] master 839a023: * src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak. |
|
Date: |
Mon, 30 Sep 2019 01:42:15 -0400 (EDT) |
branch: master
commit 839a023619b593b742f62ffab8e7e4f9da8c1593
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>
* src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17812
---
ChangeLog | 8 ++++++++
src/sfnt/sfwoff2.c | 20 ++++++++++----------
2 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index bbf2e1b..9dab663 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
2019-09-30 Werner Lemberg <address@hidden>
+ * src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17812
+
+2019-09-30 Werner Lemberg <address@hidden>
+
[woff2] Reject fonts without `head' table.
Also fix memory deallocation in case of error.
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index 2d85ef5..065023b 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1534,7 +1534,7 @@
/* Create a stream for the uncompressed buffer. */
if ( FT_NEW( stream ) )
- return FT_THROW( Invalid_Table );
+ goto Fail;
FT_Stream_OpenMemory( stream, transformed_buf, transformed_buf_size );
FT_ASSERT( FT_STREAM_POS() == 0 );
@@ -1554,16 +1554,16 @@
(FT_Char)( table.Tag ) ));
if ( FT_STREAM_SEEK( table.src_offset ) )
- return FT_THROW( Invalid_Table );
+ goto Fail;
if ( table.src_offset + table.src_length > transformed_buf_size )
- return FT_THROW( Invalid_Table );
+ goto Fail;
/* Get stream size for fields of `hmtx' table. */
if ( table.Tag == TTAG_hhea )
{
if ( read_num_hmetrics( stream, &num_hmetrics ) )
- return FT_THROW( Invalid_Table );
+ goto Fail;
}
info->num_hmetrics = num_hmetrics;
@@ -1575,7 +1575,7 @@
if ( table.Tag == TTAG_head )
{
if ( table.src_length < 12 )
- return FT_THROW( Invalid_Table );
+ goto Fail;
buf_cursor = transformed_buf + table.src_offset + 8;
/* Set checkSumAdjustment = 0 */
@@ -1590,7 +1590,7 @@
if ( WRITE_SFNT_BUF( transformed_buf + table.src_offset,
table.src_length ) )
- return FT_THROW( Invalid_Table );
+ goto Fail;
}
else
{
@@ -1611,7 +1611,7 @@
&dest_offset,
info,
memory ) )
- return FT_THROW( Invalid_Table );
+ goto Fail;
FT_TRACE4(( "Checksum = %09x.\n", checksum ));
}
@@ -1625,7 +1625,7 @@
if ( !is_glyf_xform )
{
if ( get_x_mins( stream, indices, num_tables, info, memory ) )
- return FT_THROW( Invalid_Table );
+ goto Fail;
}
table.dst_offset = dest_offset;
@@ -1639,13 +1639,13 @@
sfnt_size,
&dest_offset,
memory ) )
- return FT_THROW( Invalid_Table );
+ goto Fail;
}
else
{
/* Unknown transform. */
FT_ERROR(( "Unknown table transform.\n" ));
- return FT_THROW( Invalid_Table );
+ goto Fail;
}
}
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 839a023: * src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak.,
Werner LEMBERG <=