Commit 009cc15035160eb412cf7d73df34a84af5738c9b
2015-10-31T17:52:56
[sfnt] Handle infinite recursion in bitmap strikes (#46344). * src/sfnt/ttsbit.c (TT_SBitDecoder_LoadFunc, tt_sbit_decoder_load_bitmap, tt_sbit_decoder_load_byte_aligned, tt_sbit_decoder_load_bit_aligned, tt_sbit_decoder_load_png): Add argument for recursion depth. (tt_sbit_decoder_load_compound): Add argument for recursion depth. Increase recursion counter for recursive call. (tt_sbit_decoder_load_image): Add argument for recursion depth. Check recurse depth. (tt_face_load_sbit_image): Updated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198
diff --git a/ChangeLog b/ChangeLog
index a03116b..3804dfa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2015-10-31 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Handle infinite recursion in bitmap strikes (#46344).
+
+ * src/sfnt/ttsbit.c (TT_SBitDecoder_LoadFunc,
+ tt_sbit_decoder_load_bitmap, tt_sbit_decoder_load_byte_aligned,
+ tt_sbit_decoder_load_bit_aligned, tt_sbit_decoder_load_png): Add
+ argument for recursion depth.
+ (tt_sbit_decoder_load_compound): Add argument for recursion depth.
+ Increase recursion counter for recursive call.
+ (tt_sbit_decoder_load_image): Add argument for recursion depth.
+ Check recurse depth.
+ (tt_face_load_sbit_image): Updated.
+
2015-10-29 Werner Lemberg <wl@gnu.org>
* src/autofit/afhints.c (af_glyph_hints_dump_points): Minor.
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index 6de8757..c0540f3 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -608,13 +608,16 @@
tt_sbit_decoder_load_image( TT_SBitDecoder decoder,
FT_UInt glyph_index,
FT_Int x_pos,
- FT_Int y_pos );
+ FT_Int y_pos,
+ FT_UInt recurse_count );
- typedef FT_Error (*TT_SBitDecoder_LoadFunc)( TT_SBitDecoder decoder,
- FT_Byte* p,
- FT_Byte* plimit,
- FT_Int x_pos,
- FT_Int y_pos );
+ typedef FT_Error (*TT_SBitDecoder_LoadFunc)(
+ TT_SBitDecoder decoder,
+ FT_Byte* p,
+ FT_Byte* plimit,
+ FT_Int x_pos,
+ FT_Int y_pos,
+ FT_UInt recurse_count );
static FT_Error
@@ -622,7 +625,8 @@
FT_Byte* p,
FT_Byte* limit,
FT_Int x_pos,
- FT_Int y_pos )
+ FT_Int y_pos,
+ FT_UInt recurse_count )
{
FT_Error error = FT_Err_Ok;
FT_Byte* line;
@@ -630,6 +634,8 @@
FT_UInt bit_height, bit_width;
FT_Bitmap* bitmap;
+ FT_UNUSED( recurse_count );
+
/* check that we can write the glyph into the bitmap */
bitmap = decoder->bitmap;
@@ -761,7 +767,8 @@
FT_Byte* p,
FT_Byte* limit,
FT_Int x_pos,
- FT_Int y_pos )
+ FT_Int y_pos,
+ FT_UInt recurse_count )
{
FT_Error error = FT_Err_Ok;
FT_Byte* line;
@@ -770,6 +777,8 @@
FT_Bitmap* bitmap;
FT_UShort rval;
+ FT_UNUSED( recurse_count );
+
/* check that we can write the glyph into the bitmap */
bitmap = decoder->bitmap;
@@ -885,7 +894,8 @@
FT_Byte* p,
FT_Byte* limit,
FT_Int x_pos,
- FT_Int y_pos )
+ FT_Int y_pos,
+ FT_UInt recurse_count )
{
FT_Error error = FT_Err_Ok;
FT_UInt num_components, nn;
@@ -919,8 +929,11 @@
/* NB: a recursive call */
- error = tt_sbit_decoder_load_image( decoder, gindex,
- x_pos + dx, y_pos + dy );
+ error = tt_sbit_decoder_load_image( decoder,
+ gindex,
+ x_pos + dx,
+ y_pos + dy,
+ recurse_count + 1 );
if ( error )
break;
}
@@ -952,11 +965,14 @@
FT_Byte* p,
FT_Byte* limit,
FT_Int x_pos,
- FT_Int y_pos )
+ FT_Int y_pos,
+ FT_UInt recurse_count )
{
FT_Error error = FT_Err_Ok;
FT_ULong png_len;
+ FT_UNUSED( recurse_count );
+
if ( limit - p < 4 )
{
@@ -998,7 +1014,8 @@
FT_ULong glyph_start,
FT_ULong glyph_size,
FT_Int x_pos,
- FT_Int y_pos )
+ FT_Int y_pos,
+ FT_UInt recurse_count )
{
FT_Error error;
FT_Stream stream = decoder->stream;
@@ -1124,7 +1141,7 @@
goto Fail;
}
- error = loader( decoder, p, p_limit, x_pos, y_pos );
+ error = loader( decoder, p, p_limit, x_pos, y_pos, recurse_count );
}
Fail:
@@ -1139,13 +1156,9 @@
tt_sbit_decoder_load_image( TT_SBitDecoder decoder,
FT_UInt glyph_index,
FT_Int x_pos,
- FT_Int y_pos )
+ FT_Int y_pos,
+ FT_UInt recurse_count )
{
- /*
- * First, we find the correct strike range that applies to this
- * glyph index.
- */
-
FT_Byte* p = decoder->eblc_base + decoder->strike_index_array;
FT_Byte* p_limit = decoder->eblc_limit;
FT_ULong num_ranges = decoder->strike_index_count;
@@ -1153,6 +1166,17 @@
FT_ULong image_start = 0, image_end = 0, image_offset;
+ /* arbitrary recursion limit */
+ if ( recurse_count > 100 )
+ {
+ FT_TRACE4(( "tt_sbit_decoder_load_image:"
+ " recursion depth exceeded\n" ));
+ goto Failure;
+ }
+
+
+ /* First, we find the correct strike range that applies to this */
+ /* glyph index. */
for ( ; num_ranges > 0; num_ranges-- )
{
start = FT_NEXT_USHORT( p );
@@ -1317,7 +1341,8 @@
image_start,
image_end,
x_pos,
- y_pos );
+ y_pos,
+ recurse_count );
Failure:
return FT_THROW( Invalid_Table );
@@ -1480,6 +1505,7 @@
error = tt_sbit_decoder_load_image( decoder,
glyph_index,
0,
+ 0,
0 );
tt_sbit_decoder_done( decoder );
}