[freetype2] master 6e44d78: [type1] Avoid segfaults with `FT_Get_PS

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 6e44d78: [type1] Avoid segfaults with `FT_Get_PS_Font

From:	Werner LEMBERG
Subject:	[freetype2] master 6e44d78: [type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
Date:	Sat, 28 Jul 2018 16:23:32 -0400 (EDT)

branch: master
commit 6e44d78cc1d89f39e1086441ae4cbb2815d9f067
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610
    
    * src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
---
 ChangeLog            | 10 +++++++++
 src/type1/t1driver.c | 57 ++++++++++++++++++++++++++++++++++------------------
 2 files changed, 48 insertions(+), 19 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 382683f..ab5102c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2018-07-28  Werner Lemberg  <address@hidden>
+
+       [type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610
+
+       * src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
+
 2018-07-27  Werner Lemberg  <address@hidden>
 
        [truetype] Make `TT_Set_MM_Blend' idempotent (#54388).
diff --git a/src/type1/t1driver.c b/src/type1/t1driver.c
index e5f6aca..4d46e3e 100644
--- a/src/type1/t1driver.c
+++ b/src/type1/t1driver.c
@@ -270,9 +270,12 @@
       break;
 
     case PS_DICT_FONT_NAME:
-      retval = ft_strlen( type1->font_name ) + 1;
-      if ( value && value_len >= retval )
-        ft_memcpy( value, (void *)( type1->font_name ), retval );
+      if ( type1->font_name )
+      {
+        retval = ft_strlen( type1->font_name ) + 1;
+        if ( value && value_len >= retval )
+          ft_memcpy( value, (void *)( type1->font_name ), retval );
+      }
       break;
 
     case PS_DICT_UNIQUE_ID:
@@ -362,7 +365,7 @@
             ok = 1;
         }
 
-        if ( ok )
+        if ( ok && type1->subrs )
         {
           retval = type1->subrs_len[idx] + 1;
           if ( value && value_len >= retval )
@@ -559,33 +562,49 @@
       break;
 
     case PS_DICT_VERSION:
-      retval = ft_strlen( type1->font_info.version ) + 1;
-      if ( value && value_len >= retval )
-        ft_memcpy( value, (void *)( type1->font_info.version ), retval );
+      if ( type1->font_info.version )
+      {
+        retval = ft_strlen( type1->font_info.version ) + 1;
+        if ( value && value_len >= retval )
+          ft_memcpy( value, (void *)( type1->font_info.version ), retval );
+      }
       break;
 
     case PS_DICT_NOTICE:
-      retval = ft_strlen( type1->font_info.notice ) + 1;
-      if ( value && value_len >= retval )
-        ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
+      if ( type1->font_info.notice )
+      {
+        retval = ft_strlen( type1->font_info.notice ) + 1;
+        if ( value && value_len >= retval )
+          ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
+      }
       break;
 
     case PS_DICT_FULL_NAME:
-      retval = ft_strlen( type1->font_info.full_name ) + 1;
-      if ( value && value_len >= retval )
-        ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
+      if ( type1->font_info.full_name )
+      {
+        retval = ft_strlen( type1->font_info.full_name ) + 1;
+        if ( value && value_len >= retval )
+          ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
+      }
       break;
 
     case PS_DICT_FAMILY_NAME:
-      retval = ft_strlen( type1->font_info.family_name ) + 1;
-      if ( value && value_len >= retval )
-        ft_memcpy( value, (void *)( type1->font_info.family_name ), retval );
+      if ( type1->font_info.family_name )
+      {
+        retval = ft_strlen( type1->font_info.family_name ) + 1;
+        if ( value && value_len >= retval )
+          ft_memcpy( value, (void *)( type1->font_info.family_name ),
+                     retval );
+      }
       break;
 
     case PS_DICT_WEIGHT:
-      retval = ft_strlen( type1->font_info.weight ) + 1;
-      if ( value && value_len >= retval )
-        ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
+      if ( type1->font_info.weight )
+      {
+        retval = ft_strlen( type1->font_info.weight ) + 1;
+        if ( value && value_len >= retval )
+          ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
+      }
       break;
 
     case PS_DICT_ITALIC_ANGLE:

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master 6e44d78: [type1] Avoid segfaults with `FT_Get_PS_Font_Value'., Werner LEMBERG <=

Prev by Date: [freetype2] GSoC-2018-nikhil fecfbbb: * builds/freetype.mk: Add rule 'refdoc-venv'.
Next by Date: [freetype2] master 2c3e895: [smooth] Fix Harmony memory management.
Previous by thread: [freetype2] GSoC-2018-nikhil fecfbbb: * builds/freetype.mk: Add rule 'refdoc-venv'.
Next by thread: [freetype2] master 2c3e895: [smooth] Fix Harmony memory management.
Index(es):
- Date
- Thread