Commit 65681e6dc1937db57d5905c5dd89e0a306bc0634
2018-09-12T07:40:49
[truetype] Improve VF check. Triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255 * src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check for `tupleCount'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
diff --git a/ChangeLog b/ChangeLog
index ac063f1..6223b23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2018-09-12 Werner Lemberg <wl@gnu.org>
+ [truetype] Improve VF check.
+
+ Triggered by
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255
+
+ * src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
+ for `tupleCount'.
+
+2018-09-12 Werner Lemberg <wl@gnu.org>
+
* src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
2018-09-10 Armin Hasitzka <prince.cherusker@gmail.com>
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 3a2c540..bb6c684 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3672,6 +3672,7 @@
FT_UInt tupleCount;
FT_ULong offsetToData;
+ FT_ULong dataSize;
FT_ULong here;
FT_UInt i, j;
@@ -3712,9 +3713,11 @@
FT_NEW_ARRAY( has_delta, n_points ) )
goto Fail1;
- if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) ||
- FT_FRAME_ENTER( blend->glyphoffsets[glyph_index + 1] -
- blend->glyphoffsets[glyph_index] ) )
+ dataSize = blend->glyphoffsets[glyph_index + 1] -
+ blend->glyphoffsets[glyph_index];
+
+ if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) ||
+ FT_FRAME_ENTER( dataSize ) )
goto Fail1;
glyph_start = FT_Stream_FTell( stream );
@@ -3731,7 +3734,7 @@
/* rough sanity test */
if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
- blend->gvar_size )
+ dataSize )
{
FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
" invalid glyph variation array header\n" ));