[sfnt] Fix Savannah bug #43588. * src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect against overflow in additions and multiplications.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
diff --git a/ChangeLog b/ChangeLog
index 7cc5f07..5db1130 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2014-11-12 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Fix Savannah bug #43588.
+
+ * src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
+ tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
+ against overflow in additions and multiplications.
+
2014-11-10 Alexei Podtelezhnikov <apodtele@gmail.com>
[base] CORDIC improvements.
@@ -20,7 +28,7 @@
2014-11-07 Werner Lemberg <wl@gnu.org>
- Fix Savannah bug #43535.
+ [bdf] Fix Savannah bug #43535.
* src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one
character more than `strncmp'.
@@ -28,14 +36,14 @@
2014-11-06 Werner Lemberg <wl@gnu.org>
- Fix Savannah bug #43548.
+ [pcf] Fix Savannah bug #43548.
* src/pcf/pcfread.c (pcf_get_encodings): Add sanity checks for row
and column values.
2014-11-06 Werner Lemberg <wl@gnu.org>
- Fix Savannah bug #43547.
+ [pcf] Fix Savannah bug #43547.
* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
values.
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index f9acf5d..712bd4f 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1669,7 +1669,8 @@
p = is32 + 8192; /* skip `is32' array */
num_groups = TT_NEXT_ULONG( p );
- if ( p + num_groups * 12 > valid->limit )
+ /* p + num_groups * 12 > valid->limit ? */
+ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -1694,7 +1695,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
count = (FT_UInt32)( end - start + 1 );
@@ -1892,7 +1898,9 @@
count = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 20 + count * 2 )
+ /* length < 20 + count * 2 ? */
+ length < 20 ||
+ ( length - 20 ) / 2 < count )
FT_INVALID_TOO_SHORT;
/* check glyph indices */
@@ -2079,7 +2087,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2101,7 +2111,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
}
@@ -2401,7 +2416,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2787,7 +2804,9 @@
num_selectors = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 10 + 11 * num_selectors )
+ /* length < 10 + 11 * num_selectors ? */
+ length < 10 ||
+ ( length - 10 ) / 11 < num_selectors )
FT_INVALID_TOO_SHORT;
/* check selectors, they must be in increasing order */
@@ -2823,7 +2842,8 @@
FT_ULong lastBase = 0;
- if ( defp + numRanges * 4 > valid->limit )
+ /* defp + numRanges * 4 > valid->limit ? */
+ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numRanges; ++i )
@@ -2850,7 +2870,8 @@
FT_ULong i, lastUni = 0;
- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
+ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )