ref: 3360ca5853007f1bc5a550c3837f08242fd4c651
parent: 3c99016f8fed63c2c6a10565d72bf7d8e924f57e
author: Werner Lemberg <[email protected]>
date: Tue May 22 05:06:24 EDT 2018
[truetype] Reject elements of composites with invalid glyph indices. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413 * src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
2018-05-22 Werner Lemberg <[email protected]>
+ [truetype] Reject elements of composites with invalid glyph indices.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413
+
+ * src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
+
+2018-05-22 Werner Lemberg <[email protected]>
+
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Trace # of points.
2018-05-20 Werner Lemberg <[email protected]>
--- a/include/freetype/config/ftheader.h
+++ b/include/freetype/config/ftheader.h
@@ -760,6 +760,18 @@
#define FT_ADVANCES_H <freetype/ftadvanc.h>
+ /*************************************************************************
+ *
+ * @macro:
+ * FT_COLOR_H
+ *
+ * @description:
+ * A macro used in #include statements to name the file containing the
+ * FreeType~2 API which handles the OpenType CPAL table.
+ */
+#define FT_COLOR_H <freetype/ftcolor.h>
+
+
/* */
/* These header files don't need to be included by the user. */
--- a/include/freetype/ftbitmap.h
+++ b/include/freetype/ftbitmap.h
@@ -22,6 +22,7 @@
#include <ft2build.h>
#include FT_FREETYPE_H
+#include FT_COLOR_H
#ifdef FREETYPE_H
#error "freetype.h of FreeType 1 has been loaded!"
@@ -180,6 +181,43 @@
const FT_Bitmap *source,
FT_Bitmap *target,
FT_Int alignment );
+
+
+ /*************************************************************************/
+ /* */
+ /* <Function> */
+ /* FT_Bitmap_Blend */
+ /* */
+ /* <Description> */
+ /* Blend a bitmap object from an `FT_GlyphSlot' structure onto a */
+ /* bitmap in an `FT_Bitmap' structure, using a given color and */
+ /* offset. */
+ /* */
+ /* <InOut> */
+ /* target :: A handle to a bitmap object. Its type must be */
+ /* @FT_PIXEL_MODE_BGRA. */
+ /* */
+ /* <Input> */
+ /* source :: The glyph slot's source bitmap, which can have any */
+ /* @FT_Pixel_Mode format. */
+ /* */
+ /* color :: The color used to draw `source' onto `target'. */
+ /* */
+ /* topleft :: A vector from the topleft corner of `source' to the */
+ /* topleft corner of `target'. */
+ /* */
+ /* <Return> */
+ /* FreeType error code. 0~means success. */
+ /* */
+ /* <Note> */
+ /* This function reallocates the target bitmap if necessary; it */
+ /* doesn't perform clipping. */
+ /* */
+ FT_EXPORT( FT_Error )
+ FT_Bitmap_Blend( FT_Bitmap target,
+ FT_GlyphSlot source,
+ FT_Color color,
+ FT_Vector topleft );
/*************************************************************************/
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -561,9 +561,10 @@
TT_Load_Composite_Glyph( TT_Loader loader )
{FT_Error error;
- FT_Byte* p = loader->cursor;
- FT_Byte* limit = loader->limit;
- FT_GlyphLoader gloader = loader->gloader;
+ FT_Byte* p = loader->cursor;
+ FT_Byte* limit = loader->limit;
+ FT_GlyphLoader gloader = loader->gloader;
+ FT_Long num_glyphs = loader->face->root.num_glyphs;
FT_SubGlyph subglyph;
FT_UInt num_subglyphs;
@@ -591,6 +592,11 @@
subglyph->flags = FT_NEXT_USHORT( p );
subglyph->index = FT_NEXT_USHORT( p );
+
+ /* we reject composites that have components */
+ /* with invalid glyph indices */
+ if ( subglyph->index >= num_glyphs )
+ goto Invalid_Composite;
/* check space */
count = 2;