freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 034e5dbf9: [psaux] Full bounds check for OtherSubr 19

From: Werner Lemberg
Subject: [freetype2] master 034e5dbf9: [psaux] Full bounds check for OtherSubr 19.
Date: Wed, 23 Feb 2022 11:50:02 -0500 (EST) 
branch: master
commit 034e5dbf92ea3a7ea7c9322e47a3a50ff23f7b55
Author: Ben Wagner <bungeman@chromium.org>
Commit: Werner Lemberg <wl@gnu.org>

    [psaux] Full bounds check for OtherSubr 19.
    
    It is possible for OtherSubr 19 to be invoked when `decoder->buildchar` is
    NULL (so that `decoder->len_buildchar` is 0), the `blend` is non-NULL with
    `blend->num_designs` set to 2, and the user supplied `idx` to be large (for
    example 0xFFFFFFFE).  Since these are all `FT_UInt32` the existing bounds
    check overflows in a well defined manner, allowing for an invalid call to
    `memcpy`.
    
    In addition, it is possible to call OtherSubr 19 with
    `decoder->len_buildchar`, `blend->num_designs`, and `idx` all zero (implying
    that `blend->weight_vector` and `decoder->buildchar` are NULL).  This passes
    the bounds check (it is logically always fine to copy nothing starting at
    index zero) but may invoke undefined behavior in `ft_memcpy` if it is backed
    by `memcpy`.  Calling `memcpy` with either the `src` or `dst` NULL is
    undefined behavior (even if `count` is zero).
    
    * src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that
    `blend->num_designs` can be copied to `decoder->buildchar[idx]`.
    Also avoid passing NULL to `ft_memcpy`.
    
    Bug: https://crbug.com/1299259
---
 src/psaux/psintrp.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/psaux/psintrp.c b/src/psaux/psintrp.c
index c550533a0..6c640eebd 100644
--- a/src/psaux/psintrp.c
+++ b/src/psaux/psintrp.c
@@ -1900,7 +1900,8 @@
                       /*     WeightVector                         */
                       {
                         FT_UInt   idx;
-                        PS_Blend  blend = decoder->blend;
+                        PS_Blend  blend         = decoder->blend;
+                        FT_UInt   len_buildchar = decoder->len_buildchar;
 
 
                         if ( arg_cnt != 1 || !blend )
@@ -1908,14 +1909,15 @@
 
                         idx = (FT_UInt)cf2_stack_popInt( opStack );
 
-                        if ( idx + blend->num_designs >
-                               decoder->len_buildchar   )
+                        if ( len_buildchar < blend->num_designs       ||
+                             len_buildchar - blend->num_designs < idx )
                           goto Unexpected_OtherSubr;
 
-                        ft_memcpy( &decoder->buildchar[idx],
-                                   blend->weight_vector,
-                                   blend->num_designs *
-                                   sizeof ( blend->weight_vector[0] ) );
+                        if ( decoder->buildchar && blend->weight_vector )
+                          ft_memcpy( &decoder->buildchar[idx],
+                                     blend->weight_vector,
+                                     blend->num_designs *
+                                       sizeof ( blend->weight_vector[0] ) );
                       }
                       break;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]