From 346b141762225e91a519ee84a3dc8c423604b294 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Thu, 29 Dec 2016 06:03:40 +0100 Subject: [PATCH] [pcf] Protect against gzip bombs. Fix suggested by Kostya; reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=345 * src/pcf/pcfread.c (pcf_read_TOC): Limit number of TOC entries to 1024. --- ChangeLog | 11 +++++++++++ src/pcf/pcfread.c | 13 +++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index ef629ab3b..69b68af4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2016-12-29 Werner Lemberg + + [pcf] Protect against gzip bombs. + + Fix suggested by Kostya; reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=345 + + * src/pcf/pcfread.c (pcf_read_TOC): Limit number of TOC entries to + 1024. + 2016-12-28 Werner Lemberg [psnames] Only declare, not define, data in `pstables.h' (#49949). diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 04f84f8ec..95ee57018 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -109,13 +109,18 @@ THE SOFTWARE. if ( stream->size < 16 ) return FT_THROW( Invalid_File_Format ); - /* we need 16 bytes per TOC entry */ - if ( toc->count > stream->size >> 4 ) + /* We need 16 bytes per TOC entry. Additionally, as a */ + /* heuristic protection against gzip bombs (i.e., very */ + /* small input files that expand to insanely large */ + /* files), we limit the number of TOC entries to 1024. */ + if ( toc->count > stream->size >> 4 || + toc->count > 1024 ) { FT_TRACE0(( "pcf_read_TOC: adjusting number of tables" " (from %d to %d)\n", - toc->count, stream->size >> 4 )); - toc->count = stream->size >> 4; + toc->count, + FT_MIN( stream->size >> 4, 1024 ) )); + toc->count = FT_MIN( stream->size >> 4, 1024 ); } if ( FT_NEW_ARRAY( face->toc.tables, toc->count ) )