[cff, type1] Sanitize `BlueFuzz' and `BlueShift'. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371 * src/cff/cffload.c (cff_load_private_dict): Sanitize `priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later on. * src/type1/t1load.c (T1_Open_Face): Ditto.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
diff --git a/ChangeLog b/ChangeLog
index 9133fec..8a8a04d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2018-04-04 Werner Lemberg <wl@gnu.org>
+
+ [cff, type1] Sanitize `BlueFuzz' and `BlueShift'.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371
+
+ * src/cff/cffload.c (cff_load_private_dict): Sanitize
+ `priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later
+ on.
+
+ * src/type1/t1load.c (T1_Open_Face): Ditto.
+
2018-04-04 Ben Wagner <bungeman@google.com>
* src/truetype/ttobjs.c (trick_names): Add 3 tricky fonts (#53554),
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index ba49793..1c6fe51 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -1933,6 +1933,24 @@
else if ( priv->initial_random_seed == 0 )
priv->initial_random_seed = 987654321;
+ /* some sanitizing to avoid overflows later on; */
+ /* the upper limits are ad-hoc values */
+ if ( priv->blue_shift > 1000 || priv->blue_shift < 0 )
+ {
+ FT_TRACE2(( "cff_load_private_dict:"
+ " setting unlikely BlueShift value %d to default (7)\n",
+ priv->blue_shift ));
+ priv->blue_shift = 7;
+ }
+
+ if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 )
+ {
+ FT_TRACE2(( "cff_load_private_dict:"
+ " setting unlikely BlueFuzz value %d to default (1)\n",
+ priv->blue_fuzz ));
+ priv->blue_fuzz = 1;
+ }
+
Exit:
/* clean up */
cff_blend_clear( subfont ); /* clear blend stack */
diff --git a/src/pshinter/pshglob.c b/src/pshinter/pshglob.c
index 29f328d..accc049 100644
--- a/src/pshinter/pshglob.c
+++ b/src/pshinter/pshglob.c
@@ -227,8 +227,8 @@
}
- /* Re-read blue zones from the original fonts and store them into out */
- /* private structure. This function re-orders, sanitizes and */
+ /* Re-read blue zones from the original fonts and store them into our */
+ /* private structure. This function re-orders, sanitizes, and */
/* fuzz-expands the zones as well. */
static void
psh_blues_set_zones( PSH_Blues target,
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 2b8d489..9dfa637 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -2493,6 +2493,24 @@
type1->encoding.num_chars = loader.num_chars;
}
+ /* some sanitizing to avoid overflows later on; */
+ /* the upper limits are ad-hoc values */
+ if ( priv->blue_shift > 1000 || priv->blue_shift < 0 )
+ {
+ FT_TRACE2(( "T1_Open_Face:"
+ " setting unlikely BlueShift value %d to default (7)\n",
+ priv->blue_shift ));
+ priv->blue_shift = 7;
+ }
+
+ if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 )
+ {
+ FT_TRACE2(( "T1_Open_Face:"
+ " setting unlikely BlueFuzz value %d to default (1)\n",
+ priv->blue_fuzz ));
+ priv->blue_fuzz = 1;
+ }
+
Exit:
t1_done_loader( &loader );
return error;