Commit 44db1addd80981b1a9cbea6b8608c99592a065ea
2018-08-14T10:01:00
[cff] Fix another segv in old engine. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) [CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in dictionaries.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
diff --git a/ChangeLog b/ChangeLog
index 2f373dd..2ac6500 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
2018-08-14 Werner Lemberg <wl@gnu.org>
+ [cff] Fix another segv in old engine.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872
+
+ * src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
+ [CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in
+ dictionaries.
+
+2018-08-14 Werner Lemberg <wl@gnu.org>
+
[cff] Fix missing error handling.
Reported as
@@ -20,7 +32,7 @@
2018-08-14 Werner Lemberg <wl@gnu.org>
- [cff] Fix segv.
+ [cff] Fix segv in old engine.
Reported as
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 3f4ea15..2c2aa6a 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -860,6 +860,15 @@
case cff_op_flex1:
case cff_op_callsubr:
case cff_op_callgsubr:
+ /* depracated opcodes */
+ case cff_op_dotsection:
+ /* invalid Type 1 opcodes */
+ case cff_op_hsbw:
+ case cff_op_closepath:
+ case cff_op_callothersubr:
+ case cff_op_seac:
+ case cff_op_sbw:
+ case cff_op_setcurrentpoint:
goto MM_Error;
default: