[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 7a493e3a4: [sfnt, type42] Correct previous commit.
|
From: |
Werner Lemberg |
|
Subject: |
[freetype2] master 7a493e3a4: [sfnt, type42] Correct previous commit. |
|
Date: |
Sat, 8 Jan 2022 04:34:05 -0500 (EST) |
branch: master
commit 7a493e3a404cd04ad2d798e985d7441bd2d955ea
Author: Werner Lemberg <wl@gnu.org>
Commit: Werner Lemberg <wl@gnu.org>
[sfnt, type42] Correct previous commit.
Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773.
* src/sfnt/ttload.c (check_table_dir): Revert change.
* src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but
`FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access
while handling malformed TrueType fonts later on.
---
src/sfnt/ttload.c | 2 +-
src/type42/t42parse.c | 13 ++++++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index 184e43ec2..51416d80b 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -200,7 +200,7 @@
for ( nn = 0; nn < sfnt->num_tables; nn++ )
{
- TT_TableRec table = { 0, 0, 0, 0 };
+ TT_TableRec table;
if ( FT_STREAM_READ_FIELDS( table_dir_entry_fields, &table ) )
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index ea2c5198a..0407b1a11 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -718,7 +718,9 @@
goto Fail;
}
- if ( FT_QREALLOC( face->ttf_data, 12, face->ttf_size ) )
+ /* To handle bad fonts with an invalid table directory */
+ /* we don't use `FT_QREALLOC` here. */
+ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
goto Fail;
}
/* fall through */
@@ -767,8 +769,13 @@
FT_TRACE2(( " allocating %ld bytes\n", face->ttf_size + 1 ));
FT_TRACE2(( "\n" ));
- if ( FT_QREALLOC( face->ttf_data, 12 + 16 * num_tables,
- face->ttf_size + 1 ) )
+ /* To handle bad fonts we don't use `FT_QREALLOC` here: */
+ /* chances are high that due to incorrect values in the */
+ /* table directory the computation of `ttf_size` would be */
+ /* incorrect otherwise, causing run-time errors because of */
+ /* accessing uninitialized memory. */
+ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
+ face->ttf_size + 1 ) )
goto Fail;
}
/* fall through */
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 7a493e3a4: [sfnt, type42] Correct previous commit.,
Werner Lemberg <=