Commit 3b8f16803c8a28919966e5ddb5d64ae982556d63

Werner Lemberg 2018-04-04T20:26:08

[cff, type1] Sanitize `BlueFuzz' and `BlueShift'. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371 * src/cff/cffload.c (cff_load_private_dict): Sanitize `priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later on. * src/type1/t1load.c (T1_Open_Face): Ditto.

diff --git a/ChangeLog b/ChangeLog
index 9133fec..8a8a04d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2018-04-04  Werner Lemberg  <wl@gnu.org>
+
+	[cff, type1] Sanitize `BlueFuzz' and `BlueShift'.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371
+
+	* src/cff/cffload.c (cff_load_private_dict): Sanitize
+	`priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later
+	on.
+
+	* src/type1/t1load.c (T1_Open_Face): Ditto.
+
 2018-04-04  Ben Wagner  <bungeman@google.com>
 
 	* src/truetype/ttobjs.c (trick_names): Add 3 tricky fonts (#53554),
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index ba49793..1c6fe51 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -1933,6 +1933,24 @@
     else if ( priv->initial_random_seed == 0 )
       priv->initial_random_seed = 987654321;
 
+    /* some sanitizing to avoid overflows later on; */
+    /* the upper limits are ad-hoc values           */
+    if ( priv->blue_shift > 1000 || priv->blue_shift < 0 )
+    {
+      FT_TRACE2(( "cff_load_private_dict:"
+                  " setting unlikely BlueShift value %d to default (7)\n",
+                  priv->blue_shift ));
+      priv->blue_shift = 7;
+    }
+
+    if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 )
+    {
+      FT_TRACE2(( "cff_load_private_dict:"
+                  " setting unlikely BlueFuzz value %d to default (1)\n",
+                  priv->blue_fuzz ));
+      priv->blue_fuzz = 1;
+    }
+
   Exit:
     /* clean up */
     cff_blend_clear( subfont ); /* clear blend stack */
diff --git a/src/pshinter/pshglob.c b/src/pshinter/pshglob.c
index 29f328d..accc049 100644
--- a/src/pshinter/pshglob.c
+++ b/src/pshinter/pshglob.c
@@ -227,8 +227,8 @@
   }
 
 
-  /* Re-read blue zones from the original fonts and store them into out */
-  /* private structure.  This function re-orders, sanitizes and         */
+  /* Re-read blue zones from the original fonts and store them into our */
+  /* private structure.  This function re-orders, sanitizes, and        */
   /* fuzz-expands the zones as well.                                    */
   static void
   psh_blues_set_zones( PSH_Blues  target,
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 2b8d489..9dfa637 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -2493,6 +2493,24 @@
       type1->encoding.num_chars  = loader.num_chars;
     }
 
+    /* some sanitizing to avoid overflows later on; */
+    /* the upper limits are ad-hoc values           */
+    if ( priv->blue_shift > 1000 || priv->blue_shift < 0 )
+    {
+      FT_TRACE2(( "T1_Open_Face:"
+                  " setting unlikely BlueShift value %d to default (7)\n",
+                  priv->blue_shift ));
+      priv->blue_shift = 7;
+    }
+
+    if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 )
+    {
+      FT_TRACE2(( "T1_Open_Face:"
+                  " setting unlikely BlueFuzz value %d to default (1)\n",
+                  priv->blue_fuzz ));
+      priv->blue_fuzz = 1;
+    }
+
   Exit:
     t1_done_loader( &loader );
     return error;