[freetype2] master fa147af: [woff2] Fix font table access.

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master fa147af: [woff2] Fix font table access.

From:	Werner LEMBERG
Subject:	[freetype2] master fa147af: [woff2] Fix font table access.
Date:	Sat, 22 Feb 2020 12:31:25 -0500 (EST)

branch: master
commit fa147af4a5255bf9017c9b004f7abd1d5e72f497
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [woff2] Fix font table access.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778
    
    * src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of
    `head' table, which might not have been processed yet.
---
 ChangeLog          | 11 +++++++++++
 src/sfnt/sfwoff2.c | 16 +++++++++++++---
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 16a7456..ad34231 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2020-02-22  Werner Lemberg  <address@hidden>
+
+       [woff2] Fix font table access.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778
+
+       * src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of
+       `head' table, which might not have been processed yet.
+
 2020-02-21  Werner Lemberg  <address@hidden>
 
        [psaux] Make `t1_decoder_parse_metrics' handle `op_div' (#57519).
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index 36365ad..fe3fbe8 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1268,8 +1268,11 @@
     FT_Error   error = FT_Err_Ok;
     FT_ULong   offset_size;
 
+    /* At this point of time those tables might not have been read yet. */
     const WOFF2_Table  maxp_table = find_table( tables, num_tables,
                                                 TTAG_maxp );
+    const WOFF2_Table  head_table = find_table( tables, num_tables,
+                                                TTAG_head );
 
 
     if ( !maxp_table )
@@ -1278,6 +1281,12 @@
       return FT_THROW( Invalid_Table );
     }
 
+    if ( !head_table )
+    {
+      FT_ERROR(( "`head' table is missing.\n" ));
+      return FT_THROW( Invalid_Table );
+    }
+
     /* Read `numGlyphs' field from `maxp' table. */
     if ( FT_STREAM_SEEK( maxp_table->src_offset ) && FT_STREAM_SKIP( 8 ) )
       return error;
@@ -1288,8 +1297,8 @@
     info->num_glyphs = num_glyphs;
 
     /* Read `indexToLocFormat' field from `head' table. */
-    if ( FT_STREAM_SEEK( info->head_table->src_offset ) &&
-         FT_STREAM_SKIP( 50 )                           )
+    if ( FT_STREAM_SEEK( head_table->src_offset ) &&
+         FT_STREAM_SKIP( 50 )                     )
       return error;
 
     if ( FT_READ_USHORT( index_format ) )
@@ -2145,7 +2154,8 @@
 
 #ifdef FT_DEBUG_LEVEL_TRACE
       if ( sfnt_size != woff2.totalSfntSize )
-        FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n",
+        FT_TRACE4(( "adjusting estimate of uncompressed font size"
+                    " to %lu bytes\n",
                     sfnt_size ));
 #endif
     }

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master fa147af: [woff2] Fix font table access., Werner LEMBERG <=

Prev by Date: [freetype2] master 6e49dff: [psaux] Make `t1_decoder_parse_metrics' handle `op_div' (#57519).
Next by Date: [freetype2] master 5b1a37a: Fix for CFF space glyph regression (#57541).
Previous by thread: [freetype2] master 6e49dff: [psaux] Make `t1_decoder_parse_metrics' handle `op_div' (#57519).
Next by thread: [freetype2] master 5b1a37a: Fix for CFF space glyph regression (#57541).
Index(es):
- Date
- Thread