Commit 730b6d7468327f918472b7780c159d688c68590c
2015-09-19T12:41:12
[sfnt] Improve handling of invalid SFNT table entries (#45987). This patch fixes weaknesses in function `tt_face_load_font_dir'. - It incorrectly assumed that valid tables are always at the beginning. As a consequence, some valid tables after invalid entries (which are ignored) were never seen. - Duplicate table entries (this is, having the same tag) were not rejected. - The number of valid tables was sometimes too large, leading to access of invalid tables. * src/sfnt/ttload.c (check_table_dir): Add argument to return number of valid tables. Add another tracing message. (tt_face_load_font_dir): Only allocate table array for valid entries as returned by `check_table_dir'. Reject duplicate tables and adjust number of valid tables accordingly.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244
diff --git a/ChangeLog b/ChangeLog
index 6d41da6..92b5b9b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,29 @@
2015-09-19 Werner Lemberg <wl@gnu.org>
+ [sfnt] Improve handling of invalid SFNT table entries (#45987).
+
+ This patch fixes weaknesses in function `tt_face_load_font_dir'.
+
+ - It incorrectly assumed that valid tables are always at the
+ beginning. As a consequence, some valid tables after invalid
+ entries (which are ignored) were never seen.
+
+ - Duplicate table entries (this is, having the same tag) were not
+ rejected.
+
+ - The number of valid tables was sometimes too large, leading to
+ access of invalid tables.
+
+ * src/sfnt/ttload.c (check_table_dir): Add argument to return number
+ of valid tables.
+ Add another tracing message.
+ (tt_face_load_font_dir): Only allocate table array for valid
+ entries as returned by `check_table_dir'.
+ Reject duplicate tables and adjust number of valid tables
+ accordingly.
+
+2015-09-19 Werner Lemberg <wl@gnu.org>
+
[pcf] Improve `FT_ABS' fix from 2015-09-17 (#45999).
* src/pcf/pcfread.c (pcf_load_font): Do first the cast to FT_Short,
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index ad2975d..c1bd7f0 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -151,7 +151,8 @@
/* Here, we */
/* */
- /* - check that `num_tables' is valid (and adjust it if necessary) */
+ /* - check that `num_tables' is valid (and adjust it if necessary); */
+ /* also return the number of valid table entries */
/* */
/* - look for a `head' table, check its size, and parse it to check */
/* whether its `magic' field is correctly set */
@@ -167,7 +168,8 @@
/* */
static FT_Error
check_table_dir( SFNT_Header sfnt,
- FT_Stream stream )
+ FT_Stream stream,
+ FT_UShort* valid )
{
FT_Error error;
FT_UShort nn, valid_entries = 0;
@@ -209,7 +211,10 @@
/* we ignore invalid tables */
if ( table.Offset > stream->size )
+ {
+ FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
continue;
+ }
else if ( table.Length > stream->size - table.Offset )
{
/* Some tables have such a simple structure that clipping its */
@@ -273,11 +278,11 @@
has_meta = 1;
}
- sfnt->num_tables = valid_entries;
+ *valid = valid_entries;
- if ( sfnt->num_tables == 0 )
+ if ( !valid_entries )
{
- FT_TRACE2(( "check_table_dir: no tables found\n" ));
+ FT_TRACE2(( "check_table_dir: no valid tables found\n" ));
error = FT_THROW( Unknown_File_Format );
goto Exit;
}
@@ -333,8 +338,7 @@
SFNT_HeaderRec sfnt;
FT_Error error;
FT_Memory memory = stream->memory;
- TT_TableRec* entry;
- FT_Int nn;
+ FT_UShort nn, valid_entries;
static const FT_Frame_Field offset_table_fields[] =
{
@@ -375,85 +379,114 @@
if ( sfnt.format_tag != TTAG_OTTO )
{
/* check first */
- error = check_table_dir( &sfnt, stream );
+ error = check_table_dir( &sfnt, stream, &valid_entries );
if ( error )
{
FT_TRACE2(( "tt_face_load_font_dir:"
" invalid table directory for TrueType\n" ));
-
goto Exit;
}
}
+ else
+ valid_entries = sfnt.num_tables;
- face->num_tables = sfnt.num_tables;
+ face->num_tables = valid_entries;
face->format_tag = sfnt.format_tag;
if ( FT_QNEW_ARRAY( face->dir_tables, face->num_tables ) )
goto Exit;
- if ( FT_STREAM_SEEK( sfnt.offset + 12 ) ||
- FT_FRAME_ENTER( face->num_tables * 16L ) )
+ if ( FT_STREAM_SEEK( sfnt.offset + 12 ) ||
+ FT_FRAME_ENTER( sfnt.num_tables * 16L ) )
goto Exit;
- entry = face->dir_tables;
-
FT_TRACE2(( "\n"
" tag offset length checksum\n"
" ----------------------------------\n" ));
+ valid_entries = 0;
for ( nn = 0; nn < sfnt.num_tables; nn++ )
{
- entry->Tag = FT_GET_TAG4();
- entry->CheckSum = FT_GET_ULONG();
- entry->Offset = FT_GET_ULONG();
- entry->Length = FT_GET_ULONG();
+ TT_TableRec entry;
+ FT_UShort i;
+ FT_Bool duplicate;
+
+
+ entry.Tag = FT_GET_TAG4();
+ entry.CheckSum = FT_GET_ULONG();
+ entry.Offset = FT_GET_ULONG();
+ entry.Length = FT_GET_ULONG();
/* ignore invalid tables that can't be sanitized */
- if ( entry->Offset > stream->size )
+ if ( entry.Offset > stream->size )
continue;
- else if ( entry->Length > stream->size - entry->Offset )
+ else if ( entry.Length > stream->size - entry.Offset )
{
- if ( entry->Tag == TTAG_hmtx ||
- entry->Tag == TTAG_vmtx )
+ if ( entry.Tag == TTAG_hmtx ||
+ entry.Tag == TTAG_vmtx )
{
#ifdef FT_DEBUG_LEVEL_TRACE
- FT_ULong old_length = entry->Length;
+ FT_ULong old_length = entry.Length;
#endif
/* make metrics table length a multiple of 4 */
- entry->Length = ( stream->size - entry->Offset ) & ~3U;
+ entry.Length = ( stream->size - entry.Offset ) & ~3U;
FT_TRACE2(( " %c%c%c%c %08lx %08lx %08lx"
- " (sanitized; original length %08lx)\n",
- (FT_Char)( entry->Tag >> 24 ),
- (FT_Char)( entry->Tag >> 16 ),
- (FT_Char)( entry->Tag >> 8 ),
- (FT_Char)( entry->Tag ),
- entry->Offset,
- entry->Length,
- entry->CheckSum,
+ " (sanitized; original length %08lx)",
+ (FT_Char)( entry.Tag >> 24 ),
+ (FT_Char)( entry.Tag >> 16 ),
+ (FT_Char)( entry.Tag >> 8 ),
+ (FT_Char)( entry.Tag ),
+ entry.Offset,
+ entry.Length,
+ entry.CheckSum,
old_length ));
- entry++;
}
else
continue;
}
+#ifdef FT_DEBUG_LEVEL_TRACE
+ else
+ FT_TRACE2(( " %c%c%c%c %08lx %08lx %08lx",
+ (FT_Char)( entry.Tag >> 24 ),
+ (FT_Char)( entry.Tag >> 16 ),
+ (FT_Char)( entry.Tag >> 8 ),
+ (FT_Char)( entry.Tag ),
+ entry.Offset,
+ entry.Length,
+ entry.CheckSum ));
+#endif
+
+ /* ignore duplicate tables – the first one wins */
+ duplicate = 0;
+ for ( i = 0; i < valid_entries; i++ )
+ {
+ if ( face->dir_tables[i].Tag == entry.Tag )
+ {
+ duplicate = 1;
+ break;
+ }
+ }
+ if ( duplicate )
+ {
+ FT_TRACE2(( " (duplicate, ignored)\n" ));
+ continue;
+ }
else
{
- FT_TRACE2(( " %c%c%c%c %08lx %08lx %08lx\n",
- (FT_Char)( entry->Tag >> 24 ),
- (FT_Char)( entry->Tag >> 16 ),
- (FT_Char)( entry->Tag >> 8 ),
- (FT_Char)( entry->Tag ),
- entry->Offset,
- entry->Length,
- entry->CheckSum ));
- entry++;
+ FT_TRACE2(( "\n" ));
+
+ /* we finally have a valid entry */
+ face->dir_tables[valid_entries++] = entry;
}
}
+ /* final adjustment to number of tables */
+ face->num_tables = valid_entries;
+
FT_FRAME_EXIT();
FT_TRACE2(( "table directory loaded\n\n" ));