[Git][freetype/freetype][master] 2 commits: [type1] Revert to signed size for binary data.

[Alexei Podtelezhnikov (@apodtele)]

Alexei Podtelezhnikov pushed to branch master at FreeType / FreeType

Commits:

• 1029eb93
  by Alexei Podtelezhnikov at 2021-10-11T22:25:14-04:00

  [type1] Revert to signed size for binary data.
  
  Recently introduced and reported as
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39838
  
  * src/type1/t1load.c (read_binary_data): Reject negative size.
  (parse_subrs, parse_charstrings): Use customary signed size.
  

• e294a95c
  by Alexei Podtelezhnikov at 2021-10-11T23:25:29-04:00

  * src/cid/cidload.c (parse_fd_array): Protect against trancation.
  

2 changed files:

• src/cid/cidload.c
• src/type1/t1load.c

Changes:

src/cid/cidload.c

---

...	...	@@ -244,12 +244,17 @@
244	244	FT_Memory memory = face->root.memory;
245	245	FT_Stream stream = parser->stream;
246	246	FT_Error error = FT_Err_Ok;
247		- FT_UInt num_dicts, max_dicts;
	247	+ FT_Long num_dicts, max_dicts;
248	248
249	249
250		- num_dicts = (FT_UInt)cid_parser_to_int( parser );
	250	+ num_dicts = cid_parser_to_int( parser );
	251	+ if ( num_dicts < 0 || num_dicts > FT_INT_MAX )
	252	+ {
	253	+ FT_ERROR(( "parse_fd_array: invalid number of dictionaries\n" ));
	254	+ goto Exit;
	255	+ }
251	256
252		- FT_TRACE4(( " %u\n", num_dicts ));
	257	+ FT_TRACE4(( " %ld\n", num_dicts ));
253	258
254	259	/*
255	260	* A single entry in the FDArray must (at least) contain the following
...	...	@@ -267,11 +272,11 @@
267	272	* need a `dup X' at the very beginning and a `put' at the end, so a
268	273	* rough guess using 100 bytes as the minimum is justified.
269	274	*/
270		- max_dicts = (FT_UInt)( stream->size / 100 );
	275	+ max_dicts = (FT_Long)( stream->size / 100 );
271	276	if ( num_dicts > max_dicts )
272	277	{
273	278	FT_TRACE0(( "parse_fd_array: adjusting FDArray size"
274		- " (from %u to %u)\n",
	279	+ " (from %ld to %ld)\n",
275	280	num_dicts, max_dicts ));
276	281	num_dicts = max_dicts;
277	282	}

src/type1/t1load.c

---

...	...	@@ -1336,7 +1336,7 @@
1336	1336
1337	1337	static int
1338	1338	read_binary_data( T1_Parser parser,
1339		- FT_ULong* size,
	1339	+ FT_Long* size,
1340	1340	FT_Byte** base,
1341	1341	FT_Bool incremental )
1342	1342	{
...	...	@@ -1356,7 +1356,7 @@
1356	1356
1357	1357	if ( cur < limit && ft_isdigit( *cur ) )
1358	1358	{
1359		- FT_ULong s = (FT_ULong)T1_ToInt( parser );
	1359	+ FT_Long s = T1_ToInt( parser );
1360	1360
1361	1361
1362	1362	T1_Skip_PS_Token( parser ); /* `RD' or `-|' or something else */
...	...	@@ -1365,7 +1365,7 @@
1365	1365	/* `RD' or `-|' token */
1366	1366	*base = parser->root.cursor + 1;
1367	1367
1368		- if ( s < (FT_ULong)( limit - *base ) )
	1368	+ if ( s >= 0 && s < limit - *base )
1369	1369	{
1370	1370	parser->root.cursor += s + 1;
1371	1371	*size = s;
...	...	@@ -1793,7 +1793,7 @@
1793	1793	for ( count = 0; ; count++ )
1794	1794	{
1795	1795	FT_Long idx;
1796		- FT_ULong size;
	1796	+ FT_Long size;
1797	1797	FT_Byte* base;
1798	1798
1799	1799
...	...	@@ -1851,7 +1851,7 @@
1851	1851	/* some fonts define empty subr records -- this is not totally */
1852	1852	/* compliant to the specification (which says they should at */
1853	1853	/* least contain a `return'), but we support them anyway */
1854		- if ( size < (FT_ULong)face->type1.private_dict.lenIV )
	1854	+ if ( size < face->type1.private_dict.lenIV )
1855	1855	{
1856	1856	error = FT_THROW( Invalid_File_Format );
1857	1857	goto Fail;
...	...	@@ -1862,7 +1862,7 @@
1862	1862	goto Fail;
1863	1863	FT_MEM_COPY( temp, base, size );
1864	1864	psaux->t1_decrypt( temp, size, 4330 );
1865		- size -= (FT_ULong)face->type1.private_dict.lenIV;
	1865	+ size -= face->type1.private_dict.lenIV;
1866	1866	error = T1_Add_Table( table, (FT_Int)idx,
1867	1867	temp + face->type1.private_dict.lenIV, size );
1868	1868	FT_FREE( temp );
...	...	@@ -1967,7 +1967,7 @@
1967	1967
1968	1968	for (;;)
1969	1969	{
1970		- FT_ULong size;
	1970	+ FT_Long size;
1971	1971	FT_Byte* base;
1972	1972
1973	1973
...	...	@@ -2061,7 +2061,7 @@
2061	2061	FT_Byte* temp = NULL;
2062	2062
2063	2063
2064		- if ( size <= (FT_ULong)face->type1.private_dict.lenIV )
	2064	+ if ( size <= face->type1.private_dict.lenIV )
2065	2065	{
2066	2066	error = FT_THROW( Invalid_File_Format );
2067	2067	goto Fail;
...	...	@@ -2072,7 +2072,7 @@
2072	2072	goto Fail;
2073	2073	FT_MEM_COPY( temp, base, size );
2074	2074	psaux->t1_decrypt( temp, size, 4330 );
2075		- size -= (FT_ULong)face->type1.private_dict.lenIV;
	2075	+ size -= face->type1.private_dict.lenIV;
2076	2076	error = T1_Add_Table( code_table, n,
2077	2077	temp + face->type1.private_dict.lenIV, size );
2078	2078	FT_FREE( temp );
...	...	@@ -2324,7 +2324,7 @@
2324	2324	else if ( *cur == 'R' && cur + 6 < limit && *(cur + 1) == 'D' &&
2325	2325	have_integer )
2326	2326	{
2327		- FT_ULong s;
	2327	+ FT_Long s;
2328	2328	FT_Byte* b;
2329	2329
2330	2330
...	...	@@ -2337,7 +2337,7 @@
2337	2337	else if ( *cur == '-' && cur + 6 < limit && *(cur + 1) == '|' &&
2338	2338	have_integer )
2339	2339	{
2340		- FT_ULong s;
	2340	+ FT_Long s;
2341	2341	FT_Byte* b;
2342	2342
2343	2343

—
View it on GitLab.
You're receiving this email because of your account on gitlab.freedesktop.org. If you'd like to receive fewer emails, you can adjust your notification settings.