shithub: freetype+ttf2subf

Download patch

ref: 65681e6dc1937db57d5905c5dd89e0a306bc0634
parent: 53c5e4bd87ff8035d91022204bb5f3a051e78a99
author: Werner Lemberg <[email protected]>
date: Wed Sep 12 03:40:49 EDT 2018

[truetype] Improve VF check.

Triggered by

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255

* src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
for `tupleCount'.

git/fs: mount .git/fs: mount/attach disallowed
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2018-09-12  Werner Lemberg  <[email protected]>
 
+	[truetype] Improve VF check.
+
+	Triggered by
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255
+
+	* src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
+	for `tupleCount'.
+
+2018-09-12  Werner Lemberg  <[email protected]>
+
 	* src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
 
 2018-09-10  Armin Hasitzka  <[email protected]>
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3672,6 +3672,7 @@
 
     FT_UInt   tupleCount;
     FT_ULong  offsetToData;
+    FT_ULong  dataSize;
 
     FT_ULong  here;
     FT_UInt   i, j;
@@ -3712,9 +3713,11 @@
          FT_NEW_ARRAY( has_delta, n_points )  )
       goto Fail1;
 
-    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] )   ||
-         FT_FRAME_ENTER( blend->glyphoffsets[glyph_index + 1] -
-                           blend->glyphoffsets[glyph_index] ) )
+    dataSize = blend->glyphoffsets[glyph_index + 1] -
+                 blend->glyphoffsets[glyph_index];
+
+    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) ||
+         FT_FRAME_ENTER( dataSize )                         )
       goto Fail1;
 
     glyph_start = FT_Stream_FTell( stream );
@@ -3731,7 +3734,7 @@
 
     /* rough sanity test */
     if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
-           blend->gvar_size )
+           dataSize )
     {
       FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
                   " invalid glyph variation array header\n" ));