Commit 91fc3bd7c9ce3dadc5e62110f93328f8b4c8b781
2016-12-29T21:34:46
* src/truetype/ttgxvar.c (TT_Get_MM_Var): Check axis data. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=348
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
diff --git a/ChangeLog b/ChangeLog
index 68940a2..d26fa3f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
2016-12-29 Werner Lemberg <wl@gnu.org>
+ * src/truetype/ttgxvar.c (TT_Get_MM_Var): Check axis data.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=348
+
+2016-12-29 Werner Lemberg <wl@gnu.org>
+
[truetype] Tracing fixes.
* src/truetype/ttgxvar.c (tt_hadvance_adjust): Emit correct
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ad662a4..cdf4183 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1435,6 +1435,17 @@
a->name[3] = (FT_String)( ( a->tag ) & 0xFF );
a->name[4] = '\0';
+ if ( a->minimum > a->def ||
+ a->def > a->maximum )
+ {
+ FT_TRACE2(( "TT_Get_MM_Var:"
+ " invalid \"%s\" axis record; disabling\n",
+ a->name ));
+
+ a->minimum = a->def;
+ a->maximum = a->def;
+ }
+
FT_TRACE5(( " \"%s\": minimum=%.5f, default=%.5f, maximum=%.5f\n",
a->name,
a->minimum / 65536.0,