[sfnt] Fix broken pointer overflow checks. Many compilers such as gcc and clang optimize away pointer overflow checks `p + n < p', because pointer overflow is undefined behavior. Use a safe form `n > p_limit - p' instead. Also avoid possible integer overflow issues, for example, using `num_glyphs > ( p_limit - p ) / 2' rather than `num_glyphs * 2' given a large `num_glyphs'. * src/sfnt/ttsbit0.c (tt_sbit_decoder_load_image): Implement it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
diff --git a/ChangeLog b/ChangeLog
index 2ee336b..a81190f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,20 @@
+2013-01-25 Xi Wang <xi.wang@gmail.com>
+
+ [sfnt] Fix broken pointer overflow checks.
+
+ Many compilers such as gcc and clang optimize away pointer overflow
+ checks `p + n < p', because pointer overflow is undefined behavior.
+ Use a safe form `n > p_limit - p' instead.
+
+ Also avoid possible integer overflow issues, for example, using
+ `num_glyphs > ( p_limit - p ) / 2' rather than `num_glyphs * 2'
+ given a large `num_glyphs'.
+
+ * src/sfnt/ttsbit0.c (tt_sbit_decoder_load_image): Implement it.
+
2013-01-25 Werner Lemberg <wl@gnu.org>
- Fix `make multi'
+ [base] Fix `make multi'.
* src/base/ftoutln.c, src/base/fttrigon.c: Include
FT_INTERNAL_CALC_H.
diff --git a/src/sfnt/ttsbit0.c b/src/sfnt/ttsbit0.c
index ffef10a..691bad7 100644
--- a/src/sfnt/ttsbit0.c
+++ b/src/sfnt/ttsbit0.c
@@ -823,11 +823,11 @@
image_offset = FT_NEXT_ULONG( p );
/* overflow check */
- if ( decoder->eblc_base + decoder->strike_index_array + image_offset <
- decoder->eblc_base )
+ p = decoder->eblc_base + decoder->strike_index_array;
+ if ( image_offset > (FT_ULong)( p_limit - p ) )
goto Failure;
- p = decoder->eblc_base + decoder->strike_index_array + image_offset;
+ p += image_offset;
if ( p + 8 > p_limit )
goto NoBitmap;
@@ -894,11 +894,8 @@
num_glyphs = FT_NEXT_ULONG( p );
- /* overflow check */
- if ( p + ( num_glyphs + 1 ) * 4 < p )
- goto Failure;
-
- if ( p + ( num_glyphs + 1 ) * 4 > p_limit )
+ /* overflow check for p + ( num_glyphs + 1 ) * 4 */
+ if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
goto NoBitmap;
for ( mm = 0; mm < num_glyphs; mm++ )
@@ -936,11 +933,8 @@
num_glyphs = FT_NEXT_ULONG( p );
- /* overflow check */
- if ( p + 2 * num_glyphs < p )
- goto Failure;
-
- if ( p + 2 * num_glyphs > p_limit )
+ /* overflow check for p + 2 * num_glyphs */
+ if ( num_glyphs > (FT_ULong)( ( p_limit - p ) >> 1 ) )
goto NoBitmap;
for ( mm = 0; mm < num_glyphs; mm++ )