shithub: freetype+ttf2subf

git/fs: mount .git/fs: mount/attach disallowed

--- a/ChangeLog

+++ b/ChangeLog

@@ -1,5 +1,18 @@

 2018-09-13  Werner Lemberg  <[email protected]>

+	[truetype] Some fixes for VF checks.

+	Reported as

+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10317

+	* src/truetype/ttgxvar.c (ft_var_load_gvar): Properly exit memory

+	frame if we have invalid glyph variation data offsets.

+	(tt_face_vary_cvt): Protect against missing `tuplecoords' array.

+	Fix typo.

+2018-09-13  Werner Lemberg  <[email protected]>

 	* src/sfnt/sfdriver.c (sfnt_get_var_ps_name): Fix last commit.

 2018-09-13  Werner Lemberg  <[email protected]>

--- a/src/truetype/ttgxvar.c

+++ b/src/truetype/ttgxvar.c

@@ -1548,11 +1548,9 @@

                       " invalid glyph variation data offset for index %d\n",

                       i ));

           error = FT_THROW( Invalid_Table );

-          goto Exit;

+          break;

-      FT_FRAME_EXIT();

     else

@@ -1573,13 +1571,15 @@

                       " invalid glyph variation data offset for index %d\n",

                       i ));

           error = FT_THROW( Invalid_Table );

-          goto Exit;

+          break;

-      FT_FRAME_EXIT();

+    FT_FRAME_EXIT();

+    if ( error )

+      goto Exit;

     if ( blend->tuplecount != 0 )

       if ( FT_NEW_ARRAY( blend->tuplecoords,

@@ -3263,13 +3263,24 @@

                     " invalid tuple index\n" ));

         error = FT_THROW( Invalid_Table );

-        goto Exit;

+        goto FExit;

       else

+      {

+        if ( !blend->tuplecoords )

+        {

+          FT_TRACE2(( "tt_face_vary_cvt:"

+                      " no valid tuple coordinates available\n" ));

+          error = FT_THROW( Invalid_Table );

+          goto FExit;

+        }

         FT_MEM_COPY(

           tuple_coords,

           &blend->tuplecoords[( tupleIndex & 0xFFF ) * blend->num_axis],

           blend->num_axis * sizeof ( FT_Fixed ) );

+      }

       if ( tupleIndex & GX_TI_INTERMEDIATE_TUPLE )