freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] Avoid strtol on non-null-terminated dat

From: Werner Lemberg (@wl)
Subject: [Git][freetype/freetype][master] Avoid strtol on non-null-terminated data.
Date: Thu, 02 Mar 2023 19:57:13 +0000

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

  • 09b326fa
    by Ben Wagner at 2023-03-02T20:56:41+01:00 
    Avoid strtol on non-null-terminated data.

Technically, `strtol` can only be used with C strings terminated with
`\0`.  CID data is not generally null-terminated and often does not
contain a `\0` if it is hex-encoded.  AddressSanitizer with `ASAN_OPTIONS`
containing `strict_string_checks=1` verifies this by using an adversarial
`strtol` that always reads to the terminating `\0`.

To avoid undefined behavior from `strtol` in `cid_parser_new`, use the
parser to parse the tokens instead of attempting to parse them ad-hoc.
This will internally use `PS_Conv_Strtol` to parse the integer, which
respects the parser's limits and directly implements the PostScript
parsing rules for integers.

* src/cid/cidparse.c (cid_parser_new): Use the parser to parse the
tokens.

Fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=1420329

1 changed file:

Changes:

  • src/cid/cidparse.c
    ... ... @@ -214,18 +214,24 @@
    214 214 
                cur <= limit - STARTDATA_LEN                            &&
    215 215 
                ft_strncmp( (char*)cur, STARTDATA, STARTDATA_LEN ) == 0 )
    216 216 
           {
    217 
    -        if ( ft_strncmp( (char*)arg1, "(Hex)", 5 ) == 0 )
    218 
    -        {
    219 
    -          FT_Long  tmp = ft_strtol( (const char *)arg2, NULL, 10 );
    217 
    +        T1_TokenRec  type_token;
    218 
    +        FT_Long      binary_length;
    220 219
    221 220
    222 
    -          if ( tmp < 0 )
    221 
    +        parser->root.cursor = arg1;
    222 
    +        cid_parser_to_token( parser, &type_token );
    223 
    +        if ( type_token.limit - type_token.start == 5              &&
    224 
    +             ft_memcmp( (char*)type_token.start, "(Hex)", 5 ) == 0 )
    225 
    +        {
    226 
    +          parser->root.cursor = arg2;
    227 
    +          binary_length = cid_parser_to_int( parser );
    228 
    +          if ( binary_length < 0 )
    223 229 
               {
    224 230 
                 FT_ERROR(( "cid_parser_new: invalid length of hex data\n" ));
    225 231 
                 error = FT_THROW( Invalid_File_Format );
    226 232 
               }
    227 233 
               else
    228 
    -            parser->binary_length = (FT_ULong)tmp;
    234 
    +            parser->binary_length = (FT_ULong)binary_length;
    229 235 
             }
    230 236
    231 237 
             goto Exit;


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]