* src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.

Don't trust `totalSfntSize' unconditionally. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893
2019-09-01 23:03:09 +02:00 · 2019-09-01 23:03:09 +02:00 · 543a3b939d
parent cbee985a2b
commit 543a3b939d
2 changed files with 26 additions and 1 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2019-09-01  Werner Lemberg  <wl@gnu.org>
+
+	* src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.
+
+	Don't trust `totalSfntSize' unconditionally.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893
+
 2019-08-27  Dominik Röttsches  <drott@chromium.org>

 	[woff2] Don't use `FT_UInt64' (#56815).
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@ -2092,7 +2092,22 @@
    /* This is what we normally expect.                              */
    /* Initially trust `totalSfntSize' and change later as required. */
    if ( woff2.totalSfntSize > sfnt_size )
-      sfnt_size = woff2.totalSfntSize;
+    {
+      /* However, adjust the value to something reasonable. */
+
+      /* Factor 64 is heuristic. */
+      if ( ( woff2.totalSfntSize >> 6 ) > sfnt_size )
+        sfnt_size <<= 6;
+      else
+        sfnt_size = woff2.totalSfntSize;
+
+      /* Value 1<<26 = 67108864 is heuristic. */
+      if (sfnt_size >= (1 << 26))
+        sfnt_size = 1 << 26;
+
+      FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n",
+                  sfnt_size ));
+    }

    /* Write sfnt header. */
    if ( FT_ALLOC( sfnt, sfnt_size ) ||