diff --git a/ChangeLog b/ChangeLog index 004fc4be6..be013e47e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +2018-09-13 Werner Lemberg + + [truetype] Some fixes for VF checks. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10317 + + * src/truetype/ttgxvar.c (ft_var_load_gvar): Properly exit memory + frame if we have invalid glyph variation data offsets. + (tt_face_vary_cvt): Protect against missing `tuplecoords' array. + Fix typo. + 2018-09-13 Werner Lemberg * src/sfnt/sfdriver.c (sfnt_get_var_ps_name): Fix last commit. diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index bb6c6849d..9f41d0eba 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -1548,11 +1548,9 @@ " invalid glyph variation data offset for index %d\n", i )); error = FT_THROW( Invalid_Table ); - goto Exit; + break; } } - - FT_FRAME_EXIT(); } else { @@ -1573,13 +1571,15 @@ " invalid glyph variation data offset for index %d\n", i )); error = FT_THROW( Invalid_Table ); - goto Exit; + break; } } - - FT_FRAME_EXIT(); } + FT_FRAME_EXIT(); + if ( error ) + goto Exit; + if ( blend->tuplecount != 0 ) { if ( FT_NEW_ARRAY( blend->tuplecoords, @@ -3263,13 +3263,24 @@ " invalid tuple index\n" )); error = FT_THROW( Invalid_Table ); - goto Exit; + goto FExit; } else + { + if ( !blend->tuplecoords ) + { + FT_TRACE2(( "tt_face_vary_cvt:" + " no valid tuple coordinates available\n" )); + + error = FT_THROW( Invalid_Table ); + goto FExit; + } + FT_MEM_COPY( tuple_coords, &blend->tuplecoords[( tupleIndex & 0xFFF ) * blend->num_axis], blend->num_axis * sizeof ( FT_Fixed ) ); + } if ( tupleIndex & GX_TI_INTERMEDIATE_TUPLE ) {