kc3-lang/freetype

Browse

Commit e9a154e70015e602d695d65a588ecb38f5bb38cc

Werner Lemberg 2016-12-31T21:41:08

[truetype] Check axis count in HVAR table. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=362 * src/truetype/ttgxvar.c (ft_var_load_hvar): Check axis count. (ft_var_load_avar): Fix tracing message. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

diff --git a/ChangeLog b/ChangeLog
index 23f5748..df36269 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,15 @@
-2016-09-08  Werner Lemberg  <wl@gnu.org>
+2016-12-31  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Check axis count in HVAR table.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=362
+
+	* src/truetype/ttgxvar.c (ft_var_load_hvar): Check axis count.
+	(ft_var_load_avar): Fix tracing message.
+
+2016-12-30  Werner Lemberg  <wl@gnu.org>
 
 	* Version 2.7.1 released.
 	=========================
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index cf4f7b1..7689870 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -346,7 +346,7 @@
 
     if ( axisCount != (FT_Long)blend->mmvar->num_axis )
     {
-      FT_TRACE2(( "ft_var_load_avar: number of axes in `avar' and `cvar'\n"
+      FT_TRACE2(( "ft_var_load_avar: number of axes in `avar' and `fvar'\n"
                   "                  table are different\n" ));
       goto Exit;
     }
@@ -521,6 +521,14 @@
            FT_READ_USHORT( itemStore->regionCount ) )
         goto Exit;
 
+      if ( itemStore->axisCount != (FT_Long)blend->mmvar->num_axis )
+      {
+        FT_TRACE2(( "ft_var_load_hvar: number of axes in `hvar' and `fvar'\n"
+                    "                  table are different\n" ));
+        error = FT_THROW( Invalid_Table );
+        goto Exit;
+      }
+
       if ( FT_NEW_ARRAY( itemStore->varRegionList, itemStore->regionCount ) )
         goto Exit;
kmx.io     mail     discord kmxgit v0.4.0