freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] [truetype] Reject 'fvar' loading when `

From: Werner Lemberg (@wl)
Subject: [Git][freetype/freetype][master] [truetype] Reject 'fvar' loading when `num_instances` is too small.
Date: Tue, 06 Sep 2022 15:18:43 +0000

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

  • 8e68439a
    by Dominik Röttsches at 2022-09-06T17:18:17+02:00 
    [truetype] Reject 'fvar' loading when `num_instances` is too small.

* src/truetype/ttgxvar.c (TT_Get_MM_Var): Reject retrieving master when
'fvar' values locally do not match with sanitized values from initialization
at `sfnt_init_face` time.

Reported as

  https://bugs.chromium.org/p/chromium/issues/detail?id=1360295

1 changed file:

Changes:

  • src/truetype/ttgxvar.c
    ... ... @@ -2207,6 +2207,11 @@
    2207 2207 
           FT_FRAME_END
    2208 2208 
         };
    2209 2209
    2210 
    +    /* `num_instances' holds the number of all named instances including  */
    2211 
    +    /* the default instance, which might be missing in the table of named */
    2212 
    +    /* instances (in 'fvar').  This value is validated in `sfobjs.c` and  */
    2213 
    +    /* may be reset to 0 if consistency checks fail.                      */
    2214 
    +    num_instances = (FT_UInt)face->root.style_flags >> 16;
    2210 2215
    2211 2216 
         /* read the font data and set up the internal representation */
    2212 2217 
         /* if not already done                                       */
    ... ... @@ -2231,6 +2236,17 @@
    2231 2236 
           if ( FT_STREAM_READ_FIELDS( fvar_fields, &fvar_head ) )
    2232 2237 
             goto Exit;
    2233 2238
    2239 
    +      /* If `num_instances` is larger, synthetization of the default  */
    2240 
    +      /* instance is required.  If `num_instances` is smaller,        */
    2241 
    +      /* however, the value has been reset to 0 in `sfnt_init_face`   */
    2242 
    +      /* (in `sfobjs.c`); in this case we have underallocated `mmvar` */
    2243 
    +      /* structs.                                                     */
    2244 
    +      if ( num_instances < fvar_head.instanceCount )
    2245 
    +      {
    2246 
    +        error = FT_THROW( Invalid_Table );
    2247 
    +        goto Exit;
    2248 
    +      }
    2249 
    +
    2234 2250 
           usePsName = FT_BOOL( fvar_head.instanceSize ==
    2235 2251 
                                6 + 4 * fvar_head.axisCount );
    2236 2252
    ... ... @@ -2249,11 +2265,6 @@
    2249 2265 
         else
    2250 2266 
           num_axes = face->blend->num_axis;
    2251 2267
    2252 
    -    /* `num_instances' holds the number of all named instances, */
    2253 
    -    /* including the default instance which might be missing    */
    2254 
    -    /* in fvar's table of named instances                       */
    2255 
    -    num_instances = (FT_UInt)face->root.style_flags >> 16;
    2256 
    -
    2257 2268 
         /* prepare storage area for MM data; this cannot overflow   */
    2258 2269 
         /* 32-bit arithmetic because of the size limits used in the */
    2259 2270 
         /* `fvar' table validity check in `sfnt_init_face'          */


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]