Commit 6e44d78cc1d89f39e1086441ae4cbb2815d9f067
2018-07-28T22:23:16
[type1] Avoid segfaults with `FT_Get_PS_Font_Value'. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610 * src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
diff --git a/ChangeLog b/ChangeLog
index 382683f..ab5102c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2018-07-28 Werner Lemberg <wl@gnu.org>
+
+ [type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610
+
+ * src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
+
2018-07-27 Werner Lemberg <wl@gnu.org>
[truetype] Make `TT_Set_MM_Blend' idempotent (#54388).
diff --git a/src/type1/t1driver.c b/src/type1/t1driver.c
index e5f6aca..4d46e3e 100644
--- a/src/type1/t1driver.c
+++ b/src/type1/t1driver.c
@@ -270,9 +270,12 @@
break;
case PS_DICT_FONT_NAME:
- retval = ft_strlen( type1->font_name ) + 1;
- if ( value && value_len >= retval )
- ft_memcpy( value, (void *)( type1->font_name ), retval );
+ if ( type1->font_name )
+ {
+ retval = ft_strlen( type1->font_name ) + 1;
+ if ( value && value_len >= retval )
+ ft_memcpy( value, (void *)( type1->font_name ), retval );
+ }
break;
case PS_DICT_UNIQUE_ID:
@@ -362,7 +365,7 @@
ok = 1;
}
- if ( ok )
+ if ( ok && type1->subrs )
{
retval = type1->subrs_len[idx] + 1;
if ( value && value_len >= retval )
@@ -559,33 +562,49 @@
break;
case PS_DICT_VERSION:
- retval = ft_strlen( type1->font_info.version ) + 1;
- if ( value && value_len >= retval )
- ft_memcpy( value, (void *)( type1->font_info.version ), retval );
+ if ( type1->font_info.version )
+ {
+ retval = ft_strlen( type1->font_info.version ) + 1;
+ if ( value && value_len >= retval )
+ ft_memcpy( value, (void *)( type1->font_info.version ), retval );
+ }
break;
case PS_DICT_NOTICE:
- retval = ft_strlen( type1->font_info.notice ) + 1;
- if ( value && value_len >= retval )
- ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
+ if ( type1->font_info.notice )
+ {
+ retval = ft_strlen( type1->font_info.notice ) + 1;
+ if ( value && value_len >= retval )
+ ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
+ }
break;
case PS_DICT_FULL_NAME:
- retval = ft_strlen( type1->font_info.full_name ) + 1;
- if ( value && value_len >= retval )
- ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
+ if ( type1->font_info.full_name )
+ {
+ retval = ft_strlen( type1->font_info.full_name ) + 1;
+ if ( value && value_len >= retval )
+ ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
+ }
break;
case PS_DICT_FAMILY_NAME:
- retval = ft_strlen( type1->font_info.family_name ) + 1;
- if ( value && value_len >= retval )
- ft_memcpy( value, (void *)( type1->font_info.family_name ), retval );
+ if ( type1->font_info.family_name )
+ {
+ retval = ft_strlen( type1->font_info.family_name ) + 1;
+ if ( value && value_len >= retval )
+ ft_memcpy( value, (void *)( type1->font_info.family_name ),
+ retval );
+ }
break;
case PS_DICT_WEIGHT:
- retval = ft_strlen( type1->font_info.weight ) + 1;
- if ( value && value_len >= retval )
- ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
+ if ( type1->font_info.weight )
+ {
+ retval = ft_strlen( type1->font_info.weight ) + 1;
+ if ( value && value_len >= retval )
+ ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
+ }
break;
case PS_DICT_ITALIC_ANGLE: