Commit 25e742c573e3b88e5a4e342733f1836466628ff8
2010-04-06T16:42:56
Add overflow check to `fvar' table. * src/truetype/ttgxvar.c (TT_Get_MM_Var): Check axis and instance count.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
diff --git a/ChangeLog b/ChangeLog
index c22e570..61552c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-04-06 Jonathan Kew <jfkthame@gmail.com>
+
+ Add overflow check to `fvar' table.
+
+ * src/truetype/ttgxvar.c (TT_Get_MM_Var): Check axis and instance
+ count.
+
2010-04-05 Ken Sharp <ken.sharp@artifex.com>
Fix Savannah bug #29335.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ef25aaf..705bb60 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -4,7 +4,7 @@
/* */
/* TrueType GX Font Variation loader */
/* */
-/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */
+/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
/* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -682,7 +682,11 @@
if ( fvar_head.version != (FT_Long)0x00010000L ||
fvar_head.countSizePairs != 2 ||
fvar_head.axisSize != 20 ||
+ /* axisCount limit implied by 16-bit instanceSize */
+ fvar_head.axisCount > 0x3FFE ||
fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount ||
+ /* instanceCount limit implied by limited range of name IDs */
+ fvar_head.instanceCount > 0x7EFF ||
fvar_head.offsetToData + fvar_head.axisCount * 20U +
fvar_head.instanceCount * fvar_head.instanceSize > table_len )
{
@@ -693,7 +697,7 @@
if ( FT_NEW( face->blend ) )
goto Exit;
- /* XXX: TODO - check for overflows */
+ /* cannot overflow 32-bit arithmetic because of limits above */
face->blend->mmvar_len =
sizeof ( FT_MM_Var ) +
fvar_head.axisCount * sizeof ( FT_Var_Axis ) +