[Git][freetype/freetype][master] [truetype] Quietly reject out-of-spec `hdmx` tables.

[Alexei Podtelezhnikov (@apodtele)]

Alexei Podtelezhnikov pushed to branch master at FreeType / FreeType

Commits:

• 32f13c11
  by Alexei Podtelezhnikov at 2021-11-25T22:38:40-05:00

  [truetype] Quietly reject out-of-spec `hdmx` tables.
  
  The `hdmx` table is optional and can be safely rejected without
  an error if it does not follow specifications. The record size
  must be equal to the number of glyphs + 2 + 32-bit padding.
  
  * src/truetype/ttpload.c (tt_face_load_hdmx): Thoroughly check
  the record size and improve tracing.
  

1 changed file:

• src/truetype/ttpload.c

Changes:

src/truetype/ttpload.c

---

...	...	@@ -547,12 +547,6 @@
547	547	num_records = FT_NEXT_USHORT( p );
548	548	record_size = FT_NEXT_ULONG( p );
549	549
550		- /* The maximum number of bytes in an hdmx device record is the */
551		- /* maximum number of glyphs + 2 + 32-bit padding, or 0x10004, */
552		- /* that is why `record_size' is a long (which we read as */
553		- /* unsigned long for convenience). In practice, two bytes are */
554		- /* sufficient to hold the size value. */
555		- /* */
556	550	/* There are at least two fonts, HANNOM-A and HANNOM-B version */
557	551	/* 2.0 (2005), which get this wrong: The upper two bytes of */
558	552	/* the size value are set to 0xFF instead of 0x00. We catch */
...	...	@@ -561,13 +555,21 @@
561	555	if ( record_size >= 0xFFFF0000UL )
562	556	record_size &= 0xFFFFU;
563	557
	558	+ FT_TRACE2(( "Hdmx ", num_records, record_size ));
	559	+
564	560	/* The limit for `num_records' is a heuristic value. */
565		- if ( num_records > 255 ||
566		- ( num_records > 0 &&
567		- ( record_size > 0x10004UL ||
568		- record_size < 4 ) ) )
	561	+ if ( num_records > 255 || num_records == 0 )
	562	+ {
	563	+ FT_TRACE2(( "with unreasonable %u records rejected\n", num_records ));
	564	+ goto Fail;
	565	+ }
	566	+
	567	+ /* Out-of-spec tables are rejected. */
	568	+ if ( (FT_Long)record_size != ( ( face->root.num_glyphs + 5 ) & ~3 ) )
569	569	{
570		- error = FT_THROW( Invalid_File_Format );
	570	+ FT_TRACE2(( "with record size off by %ld bytes rejected\n",
	571	+ (FT_Long)record_size -
	572	+ ( ( face->root.num_glyphs + 5 ) & ~3 ) ));
571	573	goto Fail;
572	574	}
573	575
...	...	@@ -587,6 +589,8 @@
587	589	face->hdmx_table_size = table_size;
588	590	face->hdmx_record_size = record_size;
589	591
	592	+ FT_TRACE2(( "%ux%lu loaded\n", num_records, record_size ));
	593	+
590	594	Exit:
591	595	return error;
592	596

—
View it on GitLab.
You're receiving this email because of your account on gitlab.freedesktop.org. If you'd like to receive fewer emails, you can adjust your notification settings.