Commit 3eccc3a3f849f44e50a14c7562e4b9aea1740925
2015-10-20T22:31:57
[cid] Add a bunch of safety checks. * src/cid/cidload.c (parse_fd_array): Check `num_dicts' against stream size. (cid_read_subrs): Check largest offset against stream size. (cid_parse_dict): Move safety check to ... (cid_face_open): ... this function. Also test length of binary data and values of `SDBytes', `SubrMapOffset', `SubrCount', `CIDMapOffset', and `CIDCount'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238
diff --git a/ChangeLog b/ChangeLog
index 85dcfb0..b95f65e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
2015-10-20 Werner Lemberg <wl@gnu.org>
+ [cid] Add a bunch of safety checks.
+
+ * src/cid/cidload.c (parse_fd_array): Check `num_dicts' against
+ stream size.
+ (cid_read_subrs): Check largest offset against stream size.
+ (cid_parse_dict): Move safety check to ...
+ (cid_face_open): ... this function.
+ Also test length of binary data and values of `SDBytes',
+ `SubrMapOffset', `SubrCount', `CIDMapOffset', and `CIDCount'.
+
+2015-10-20 Werner Lemberg <wl@gnu.org>
+
[cid] Avoid segfault with malformed input (#46250).
* src/cid/cidload.c (cid_read_subrs): Return a proper error code for
diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index 0bf73d4..aa125a4 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -215,6 +215,7 @@
{
CID_FaceInfo cid = &face->cid;
FT_Memory memory = face->root.memory;
+ FT_Stream stream = parser->stream;
FT_Error error = FT_Err_Ok;
FT_Long num_dicts;
@@ -227,6 +228,31 @@
goto Exit;
}
+ /*
+ * A single entry in the FDArray must (at least) contain the following
+ * structure elements.
+ *
+ * %ADOBeginFontDict 18
+ * X dict begin 13
+ * /FontMatrix [X X X X] 22
+ * /Private X dict begin 22
+ * end 4
+ * end 4
+ * %ADOEndFontDict 16
+ *
+ * This needs 18+13+22+22+4+4+16=99 bytes or more. Normally, you also
+ * need a `dup X' at the very beginning and a `put' at the end, so a
+ * rough guess using 100 bytes as the minimum is justified.
+ */
+ if ( (FT_ULong)num_dicts > stream->size / 100 )
+ {
+ FT_TRACE0(( "parse_fd_array: adjusting FDArray size"
+ " (from %d to %d)\n",
+ num_dicts,
+ stream->size / 100 ));
+ num_dicts = (FT_Long)( stream->size / 100 );
+ }
+
if ( !cid->font_dicts )
{
FT_Int n;
@@ -401,16 +427,6 @@
FT_ERROR(( "cid_parse_dict: No font dictionary found\n" ));
return FT_THROW( Invalid_File_Format );
}
-
- /* allow at most 32bit offsets */
- if ( face->cid.fd_bytes > 4 || face->cid.gd_bytes > 4 )
- {
- FT_ERROR(( "cid_parse_dict:"
- " Values of `FDBytes' or `GDBytes' larger than 4\n"
- " "
- " are not supported\n" ));
- return FT_THROW( Invalid_File_Format );
- }
}
return parser->root.error;
@@ -445,13 +461,6 @@
FT_Byte* p;
- /* Check for possible overflow. */
- if ( num_subrs == FT_UINT_MAX )
- {
- error = FT_THROW( Syntax_Error );
- goto Fail;
- }
-
/* reallocate offsets array if needed */
if ( num_subrs + 1 > max_offsets )
{
@@ -485,17 +494,24 @@
for ( count = 1; count <= num_subrs; count++ )
if ( offsets[count - 1] > offsets[count] )
{
- FT_TRACE1(( "cid_read_subrs: offsets are not ordered\n" ));
- error = FT_THROW( Syntax_Error );
+ FT_ERROR(( "cid_read_subrs: offsets are not ordered\n" ));
+ error = FT_THROW( Invalid_File_Format );
goto Fail;
}
+ if ( offsets[num_subrs] > stream->size - cid->data_offset )
+ {
+ FT_ERROR(( "cid_read_subrs: too large `subrs' offsets\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+ }
+
/* now, compute the size of subrs charstrings, */
/* allocate, and read them */
data_len = offsets[num_subrs] - offsets[0];
if ( FT_NEW_ARRAY( subr->code, num_subrs + 1 ) ||
- FT_ALLOC( subr->code[0], data_len ) )
+ FT_ALLOC( subr->code[0], data_len ) )
goto Fail;
if ( FT_STREAM_SEEK( cid->data_offset + offsets[0] ) ||
@@ -675,6 +691,12 @@
CID_Parser* parser;
FT_Memory memory = face->root.memory;
FT_Error error;
+ FT_Int n;
+
+ CID_FaceInfo cid = &face->cid;
+
+ FT_ULong binary_length;
+ FT_ULong entry_len;
cid_init_loader( &loader, face );
@@ -699,6 +721,17 @@
if ( parser->binary_length )
{
+ if ( parser->binary_length >
+ face->root.stream->size - parser->data_offset )
+ {
+ FT_TRACE0(( "cid_face_open: adjusting length of binary data\n"
+ " (from %d to %d bytes)\n",
+ parser->binary_length,
+ face->root.stream->size - parser->data_offset ));
+ parser->binary_length = face->root.stream->size -
+ parser->data_offset;
+ }
+
/* we must convert the data section from hexadecimal to binary */
if ( FT_ALLOC( face->binary_data, parser->binary_length ) ||
cid_hex_to_binary( face->binary_data, parser->binary_length,
@@ -707,14 +740,78 @@
FT_Stream_OpenMemory( face->cid_stream,
face->binary_data, parser->binary_length );
- face->cid.data_offset = 0;
+ cid->data_offset = 0;
}
else
{
- *face->cid_stream = *face->root.stream;
- face->cid.data_offset = loader.parser.data_offset;
+ *face->cid_stream = *face->root.stream;
+ cid->data_offset = loader.parser.data_offset;
+ }
+
+ /* sanity tests */
+
+ /* allow at most 32bit offsets */
+ if ( cid->fd_bytes > 4 || cid->gd_bytes > 4 )
+ {
+ FT_ERROR(( "cid_parse_dict:"
+ " Values of `FDBytes' or `GDBytes' larger than 4\n"
+ " "
+ " are not supported\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
+ binary_length = face->cid_stream->size - cid->data_offset;
+ entry_len = (FT_ULong)( cid->fd_bytes + cid->gd_bytes );
+
+ for ( n = 0; n < cid->num_dicts; n++ )
+ {
+ CID_FaceDict dict = cid->font_dicts + n;
+
+
+ if ( dict->sd_bytes > 4 )
+ {
+ FT_ERROR(( "cid_parse_dict:"
+ " Values of `SDBytes' larger than 4"
+ " are not supported\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
+ if ( dict->subrmap_offset > binary_length )
+ {
+ FT_ERROR(( "cid_parse_dict: Invalid `SubrMapOffset' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
+ if ( dict->sd_bytes &&
+ dict->num_subrs >
+ ( binary_length - dict->subrmap_offset ) / dict->sd_bytes )
+ {
+ FT_ERROR(( "cid_parse_dict: Invalid `SubrCount' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+ }
+
+ if ( cid->cidmap_offset > binary_length )
+ {
+ FT_ERROR(( "cid_parse_dict: Invalid `CIDMapOffset' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
+ if ( entry_len &&
+ cid->cid_count >
+ ( binary_length - cid->cidmap_offset ) / entry_len )
+ {
+ FT_ERROR(( "cid_parse_dict: Invalid `CIDCount' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
}
+ /* we can now safely proceed */
error = cid_read_subrs( face );
Exit: