kc3-lang/freetype

Browse

Commit 7eeaf986b5ebb43cbbc8368c6e528ac311d87805

Werner Lemberg 2016-10-14T08:58:17

[truetype] Fix handling of `cvar' table data. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53 * src/truetype/ttgxvar.c (tt_face_vary_cvt): Ignore invalid CVT indices. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

diff --git a/ChangeLog b/ChangeLog
index dc4232f..6b54ef0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2016-10-14  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix handling of `cvar' table data.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53
+
+	* src/truetype/ttgxvar.c (tt_face_vary_cvt): Ignore invalid CVT
+	indices.
+
 2016-10-11  Werner Lemberg  <wl@gnu.org>
 
 	[psaux] Fix handling of invalid flex subrs.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 52d612e..11b2908 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1552,10 +1552,15 @@
 
         for ( j = 0; j < point_count; j++ )
         {
-          int      pindex   = localpoints[j];
-          FT_Long  orig_cvt = face->cvt[pindex];
+          int      pindex;
+          FT_Long  orig_cvt;
 
 
+          pindex = localpoints[j];
+          if ( (FT_ULong)pindex >= face->cvt_size )
+            continue;
+
+          orig_cvt          = face->cvt[pindex];
           face->cvt[pindex] = (FT_Short)( orig_cvt +
                                           FT_MulFix( deltas[j], apply ) );
kmx.io     mail     discord kmxgit v0.4.0