[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] fix null pointer offset UB
|
From: |
Matthew Lugg |
|
Subject: |
[PATCH] fix null pointer offset UB |
|
Date: |
Wed, 28 Sep 2022 19:05:33 +0100 |
---
freetype/src/truetype/ttgxvar.c | 34 ++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
diff --git a/freetype/src/truetype/ttgxvar.c b/freetype/src/truetype/ttgxvar.c
index 6a0edef..53506d6 100644
--- a/freetype/src/truetype/ttgxvar.c
+++ b/freetype/src/truetype/ttgxvar.c
@@ -957,6 +957,10 @@
/* in the OpenType specification. */
varData = &itemStore->varData[outerIndex];
+
+ if ( varData->regionIdxCount == 0 )
+ return FT_fixedToInt( netAdjustment );
+
deltaSet = &varData->deltaSet[varData->regionIdxCount * innerIndex];
/* outer loop steps through master designs to be blended */
@@ -1322,22 +1326,26 @@
FT_FRAME_ENTER( blend->mvar_table->valueCount * GX_VALUE_SIZE ) )
return;
- value = blend->mvar_table->values;
- limit = value + blend->mvar_table->valueCount;
- itemStore = &blend->mvar_table->itemStore;
-
- for ( ; value < limit; value++ )
+ value = blend->mvar_table->values;
+
+ if ( value )
{
- value->tag = FT_GET_ULONG();
- value->outerIndex = FT_GET_USHORT();
- value->innerIndex = FT_GET_USHORT();
+ limit = value + blend->mvar_table->valueCount;
+ itemStore = &blend->mvar_table->itemStore;
- if ( value->outerIndex >= itemStore->dataCount ||
- value->innerIndex >= itemStore->varData[value->outerIndex]
- .itemCount )
+ for ( ; value < limit; value++ )
{
- error = FT_THROW( Invalid_Table );
- break;
+ value->tag = FT_GET_ULONG();
+ value->outerIndex = FT_GET_USHORT();
+ value->innerIndex = FT_GET_USHORT();
+
+ if ( value->outerIndex >= itemStore->dataCount ||
+ value->innerIndex >= itemStore->varData[value->outerIndex]
+ .itemCount )
+ {
+ error = FT_THROW( Invalid_Table );
+ break;
+ }
}
}
--
2.37.3
- [PATCH] fix null pointer offset UB,
Matthew Lugg <=