Commit da34673e54e2fd03f25b69a3a3c5bf2c6862c866
2015-10-10T10:21:27
[truetype] More sanity tests for GX handling. These tests should mainly help avoid unnecessarily large memory allocations in case of malformed fonts. * src/truetype/ttgxvar.c (ft_var_readpackedpoints, ft_var_readpackeddeltas): Check number of points against stream size. (ft_var_load_avar): Check `pairCount' against table length. (ft_var_load_gvar): Check `globalCoordCount' and `glyphCount' against table length. (tt_face_vary_cvt): Check `tupleCount' and `offsetToData'. Fix trace. (TT_Vary_Apply_Glyph_Deltas): Fix trace. Free `sharedpoints' to avoid memory leak.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166
diff --git a/ChangeLog b/ChangeLog
index 20e8b47..9062221 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,23 @@
2015-10-10 Werner Lemberg <wl@gnu.org>
+ [truetype] More sanity tests for GX handling.
+
+ These tests should mainly help avoid unnecessarily large memory
+ allocations in case of malformed fonts.
+
+ * src/truetype/ttgxvar.c (ft_var_readpackedpoints,
+ ft_var_readpackeddeltas): Check number of points against stream
+ size.
+ (ft_var_load_avar): Check `pairCount' against table length.
+ (ft_var_load_gvar): Check `globalCoordCount' and `glyphCount'
+ against table length.
+ (tt_face_vary_cvt): Check `tupleCount' and `offsetToData'.
+ Fix trace.
+ (TT_Vary_Apply_Glyph_Deltas): Fix trace.
+ Free `sharedpoints' to avoid memory leak.
+
+2015-10-10 Werner Lemberg <wl@gnu.org>
+
[truetype] Better protection against malformed GX data (#46166).
* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Correctly
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index e838b87..b8ff141 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -149,6 +149,12 @@
n |= FT_GET_BYTE();
}
+ if ( n > stream->size - stream->pos )
+ {
+ FT_TRACE1(( "ft_var_readpackedpoints: number of points too large\n" ));
+ return NULL;
+ }
+
if ( FT_NEW_ARRAY( points, n ) )
return NULL;
@@ -233,6 +239,12 @@
FT_UNUSED( error );
+ if ( delta_cnt > stream->size - stream->pos )
+ {
+ FT_TRACE1(( "ft_var_readpackeddeltas: number of points too large\n" ));
+ return NULL;
+ }
+
if ( FT_NEW_ARRAY( deltas, delta_cnt ) )
return NULL;
@@ -341,7 +353,8 @@
FT_TRACE5(( " axis %d:\n", i ));
segment->pairCount = FT_GET_USHORT();
- if ( FT_NEW_ARRAY( segment->correspondence, segment->pairCount ) )
+ if ( (FT_ULong)segment->pairCount * 4 > table_len ||
+ FT_NEW_ARRAY( segment->correspondence, segment->pairCount ) )
{
/* Failure. Free everything we have done so far. We must do */
/* it right now since loading the `avar' table is optional. */
@@ -447,10 +460,6 @@
if ( FT_STREAM_READ_FIELDS( gvar_fields, &gvar_head ) )
goto Exit;
- blend->tuplecount = gvar_head.globalCoordCount;
- blend->gv_glyphcnt = gvar_head.glyphCount;
- offsetToData = gvar_start + gvar_head.offsetToData;
-
if ( gvar_head.version != 0x00010000L )
{
FT_TRACE1(( "bad table version\n" ));
@@ -458,8 +467,6 @@
goto Exit;
}
- FT_TRACE2(( "loaded\n" ));
-
if ( gvar_head.axisCount != (FT_UShort)blend->mmvar->num_axis )
{
FT_TRACE1(( "ft_var_load_gvar: number of axes in `gvar' and `cvar'\n"
@@ -468,6 +475,27 @@
goto Exit;
}
+ /* rough sanity check, ignoring offsets */
+ if ( (FT_ULong)gvar_head.globalCoordCount * gvar_head.axisCount >
+ table_len / 2 )
+ {
+ FT_TRACE1(( "ft_var_load_gvar:"
+ " invalid number of global coordinates\n" ));
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+ }
+
+ /* rough sanity check: offsets can be either 2 or 4 bytes, */
+ /* and a single variation needs at least 4 bytes per glyph */
+ if ( (FT_ULong)gvar_head.glyphCount *
+ ( ( gvar_head.flags & 1 ) ? 8 : 6 ) > table_len )
+
+ FT_TRACE2(( "loaded\n" ));
+
+ blend->tuplecount = gvar_head.globalCoordCount;
+ blend->gv_glyphcnt = gvar_head.glyphCount;
+ offsetToData = gvar_start + gvar_head.offsetToData;
+
FT_TRACE5(( "gvar: there are %d shared coordinates:\n",
blend->tuplecount ));
@@ -1353,13 +1381,25 @@
goto FExit;
tupleCount = FT_GET_USHORT();
- offsetToData = table_start + FT_GET_USHORT();
+ offsetToData = FT_GET_USHORT();
+
+ /* rough sanity test */
+ if ( offsetToData + tupleCount * 4 > table_len )
+ {
+ FT_TRACE2(( "tt_face_vary_cvt:"
+ " invalid CVT variation array header\n" ));
+
+ error = FT_THROW( Invalid_Table );
+ goto FExit;
+ }
+
+ offsetToData += table_start;
- /* The documentation implies there are flags packed into the */
- /* tuplecount, but John Jenkins says that shared points don't apply */
- /* to `cvar', and no other flags are defined. */
+ /* The documentation implies there are flags packed into */
+ /* `tupleCount', but John Jenkins says that shared points don't apply */
+ /* to `cvar', and no other flags are defined. */
- FT_TRACE5(( "cvar: there are %d tuples:\n", tupleCount ));
+ FT_TRACE5(( "cvar: there are %d tuples:\n", tupleCount & 0xFFF ));
for ( i = 0; i < ( tupleCount & 0xFFF ); i++ )
{
@@ -1833,7 +1873,8 @@
FT_Stream_SeekSet( stream, here );
}
- FT_TRACE5(( "gvar: there are %d tuples:\n", tupleCount ));
+ FT_TRACE5(( "gvar: there are %d tuples:\n",
+ tupleCount & GX_TC_TUPLE_COUNT_MASK ));
for ( i = 0; i < ( tupleCount & GX_TC_TUPLE_COUNT_MASK ); i++ )
{
@@ -2013,6 +2054,8 @@
if ( localpoints != ALL_POINTS )
FT_FREE( localpoints );
+ if ( sharedpoints != ALL_POINTS )
+ FT_FREE( sharedpoints );
FT_FREE( deltas_x );
FT_FREE( deltas_y );