Commit 9c54d1246abc7172f1e0ca88b786c3b6e32d000b
2016-10-11T08:57:55
[psaux] Fix handling of invalid flex subrs. Problem reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52 * src/psaux/t1decode.c (t1_decoder_parse_charstrings) <op_callothersubr>: Set `flex_state' after error checking.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
diff --git a/ChangeLog b/ChangeLog
index c11716f..dc4232f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2016-10-11 Werner Lemberg <wl@gnu.org>
+ [psaux] Fix handling of invalid flex subrs.
+
+ Problem reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52
+
+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+ <op_callothersubr>: Set `flex_state' after error checking.
+
+2016-10-11 Werner Lemberg <wl@gnu.org>
+
* src/truetype/ttgxvar.c (tt_done_blend): Fix deallocation.
2016-10-08 Werner Lemberg <wl@gnu.org>
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index 4a32b82..119b80f 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -734,7 +734,7 @@
if ( arg_cnt != 3 )
goto Unexpected_OtherSubr;
- if ( decoder->flex_state == 0 ||
+ if ( !decoder->flex_state ||
decoder->num_flex_vectors != 7 )
{
FT_ERROR(( "t1_decoder_parse_charstrings:"
@@ -752,13 +752,14 @@
if ( arg_cnt != 0 )
goto Unexpected_OtherSubr;
- decoder->flex_state = 1;
- decoder->num_flex_vectors = 0;
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 6 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
+
+ decoder->flex_state = 1;
+ decoder->num_flex_vectors = 0;
break;
case 2: /* add flex vectors */
@@ -769,7 +770,7 @@
if ( arg_cnt != 0 )
goto Unexpected_OtherSubr;
- if ( decoder->flex_state == 0 )
+ if ( !decoder->flex_state )
{
FT_ERROR(( "t1_decoder_parse_charstrings:"
" missing flex start\n" ));
@@ -1222,9 +1223,9 @@
FT_TRACE4(( " hvcurveto" ));
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 3 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
x += top[0];
@@ -1269,9 +1270,9 @@
FT_TRACE4(( " rrcurveto" ));
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 3 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
x += top[0];
@@ -1291,9 +1292,9 @@
FT_TRACE4(( " vhcurveto" ));
if ( ( error = t1_builder_start_point( builder, x, y ) )
- != FT_Err_Ok ||
+ != FT_Err_Ok ||
( error = t1_builder_check_points( builder, 3 ) )
- != FT_Err_Ok )
+ != FT_Err_Ok )
goto Fail;
y += top[0];