kc3-lang/freetype

Browse

Commit 839a023619b593b742f62ffab8e7e4f9da8c1593

Werner Lemberg 2019-09-30T07:41:57

* src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17812 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

diff --git a/ChangeLog b/ChangeLog
index bbf2e1b..9dab663 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2019-09-30  Werner Lemberg  <wl@gnu.org>
 
+	* src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17812
+
+2019-09-30  Werner Lemberg  <wl@gnu.org>
+
 	[woff2] Reject fonts without `head' table.
 
 	Also fix memory deallocation in case of error.
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index 2d85ef5..065023b 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1534,7 +1534,7 @@
 
     /* Create a stream for the uncompressed buffer. */
     if ( FT_NEW( stream ) )
-      return FT_THROW( Invalid_Table );
+      goto Fail;
     FT_Stream_OpenMemory( stream, transformed_buf, transformed_buf_size );
 
     FT_ASSERT( FT_STREAM_POS() == 0 );
@@ -1554,16 +1554,16 @@
                   (FT_Char)( table.Tag       ) ));
 
       if ( FT_STREAM_SEEK( table.src_offset ) )
-        return FT_THROW( Invalid_Table );
+        goto Fail;
 
       if ( table.src_offset + table.src_length > transformed_buf_size )
-        return FT_THROW( Invalid_Table );
+        goto Fail;
 
       /* Get stream size for fields of `hmtx' table. */
       if ( table.Tag == TTAG_hhea )
       {
         if ( read_num_hmetrics( stream, &num_hmetrics ) )
-          return FT_THROW( Invalid_Table );
+          goto Fail;
       }
 
       info->num_hmetrics = num_hmetrics;
@@ -1575,7 +1575,7 @@
         if ( table.Tag == TTAG_head )
         {
           if ( table.src_length < 12 )
-            return FT_THROW( Invalid_Table );
+            goto Fail;
 
           buf_cursor = transformed_buf + table.src_offset + 8;
           /* Set checkSumAdjustment = 0 */
@@ -1590,7 +1590,7 @@
 
         if ( WRITE_SFNT_BUF( transformed_buf + table.src_offset,
                              table.src_length ) )
-          return FT_THROW( Invalid_Table );
+          goto Fail;
       }
       else
       {
@@ -1611,7 +1611,7 @@
                                  &dest_offset,
                                  info,
                                  memory ) )
-            return FT_THROW( Invalid_Table );
+            goto Fail;
 
           FT_TRACE4(( "Checksum = %09x.\n", checksum ));
         }
@@ -1625,7 +1625,7 @@
           if ( !is_glyf_xform )
           {
             if ( get_x_mins( stream, indices, num_tables, info, memory ) )
-              return FT_THROW( Invalid_Table );
+              goto Fail;
           }
 
           table.dst_offset = dest_offset;
@@ -1639,13 +1639,13 @@
                                  sfnt_size,
                                  &dest_offset,
                                  memory ) )
-            return FT_THROW( Invalid_Table );
+            goto Fail;
         }
         else
         {
           /* Unknown transform. */
           FT_ERROR(( "Unknown table transform.\n" ));
-          return FT_THROW( Invalid_Table );
+          goto Fail;
         }
       }
kmx.io     mail     discord kmxgit v0.4.0