Commit c9d477242ceaa85ce70c42272ee44e99b386c01d
2017-01-04T10:00:49
[cff] More consistency checks for pure CFFs. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=378 * src/cff/cffload.c (cff_font_load): Check element number and size of Name and Top DICT indices.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
diff --git a/ChangeLog b/ChangeLog
index 413949c..1a47545 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
2017-01-04 Werner Lemberg <wl@gnu.org>
+ [cff] More consistency checks for pure CFFs.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=378
+
+ * src/cff/cffload.c (cff_font_load): Check element number and size
+ of Name and Top DICT indices.
+
+2017-01-04 Werner Lemberg <wl@gnu.org>
+
[cff, truetype] Minor tracing improvement.
* src/cff/cffobjs.c (cff_face_init), src/truetype/ttobjs.c
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index cb1c0b5..52922f4 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -2199,6 +2199,16 @@
goto Exit;
}
+ /* font names must not be empty */
+ if ( font->name_index.data_size < font->name_index.count )
+ {
+ /* for pure CFFs, we still haven't checked enough bytes */
+ /* to be sure that it is a CFF at all */
+ error = pure_cff ? FT_THROW( Unknown_File_Format )
+ : FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
if ( FT_SET_ERROR( cff_index_init( &font->font_dict_index,
stream, 0, cff2 ) ) ||
FT_SET_ERROR( cff_index_init( &string_index,
@@ -2210,6 +2220,15 @@
&font->string_pool,
&font->string_pool_size ) ) )
goto Exit;
+
+ /* there must be a Top DICT index entry for each name index entry */
+ if ( font->name_index.count > font->font_dict_index.count )
+ {
+ FT_ERROR(( "cff_font_load:"
+ " not enough entries in Top DICT index\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
}
font->num_strings = string_index.count;