[Git][freetype/freetype][master] [psaux] Full bounds check for OtherSubr

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

034e5dbf

by Ben Wagner at 2022-02-23T17:42:55+01:00

[psaux] Full bounds check for OtherSubr 19.

It is possible for OtherSubr 19 to be invoked when `decoder->buildchar` is
NULL (so that `decoder->len_buildchar` is 0), the `blend` is non-NULL with
`blend->num_designs` set to 2, and the user supplied `idx` to be large (for
example 0xFFFFFFFE).  Since these are all `FT_UInt32` the existing bounds
check overflows in a well defined manner, allowing for an invalid call to
`memcpy`.

In addition, it is possible to call OtherSubr 19 with
`decoder->len_buildchar`, `blend->num_designs`, and `idx` all zero (implying
that `blend->weight_vector` and `decoder->buildchar` are NULL).  This passes
the bounds check (it is logically always fine to copy nothing starting at
index zero) but may invoke undefined behavior in `ft_memcpy` if it is backed
by `memcpy`.  Calling `memcpy` with either the `src` or `dst` NULL is
undefined behavior (even if `count` is zero).

* src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that
`blend->num_designs` can be copied to `decoder->buildchar[idx]`.
Also avoid passing NULL to `ft_memcpy`.

Bug: https://crbug.com/1299259

1 changed file:

src/psaux/psintrp.c

Changes:

src/psaux/psintrp.c

@@ -1900,7 +1900,8 @@
                        /*     WeightVector                         */
+                       {
                          FT_UInt   idx;
 -                        PS_Blend  blend = decoder->blend;
 +                        PS_Blend  blend         = decoder->blend;
 +                        FT_UInt   len_buildchar = decoder->len_buildchar;
                          if ( arg_cnt != 1 || !blend )
@@ -1908,14 +1909,15 @@
                          idx = (FT_UInt)cf2_stack_popInt( opStack );
 -                        if ( idx + blend->num_designs >
 -                               decoder->len_buildchar   )
 +                        if ( len_buildchar < blend->num_designs       ||
 +                             len_buildchar - blend->num_designs < idx )
                            goto Unexpected_OtherSubr;
 -                        ft_memcpy( &decoder->buildchar[idx],
 -                                   blend->weight_vector,
 -                                   blend->num_designs *
 -                                   sizeof ( blend->weight_vector[0] ) );
 +                        if ( decoder->buildchar && blend->weight_vector )
 +                          ft_memcpy( &decoder->buildchar[idx],
 +                                     blend->weight_vector,
 +                                     blend->num_designs *
 +                                       sizeof ( blend->weight_vector[0] ) );
+                       }
                        break;

From:	Werner Lemberg (@wl)
Subject:	[Git][freetype/freetype][master] [psaux] Full bounds check for OtherSubr 19.
Date:	Wed, 23 Feb 2022 16:49:53 +0000