[type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610 * src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
This commit is contained in:
parent
c9edca8ee9
commit
6e44d78cc1
10
ChangeLog
10
ChangeLog
|
@ -1,3 +1,13 @@
|
||||||
|
2018-07-28 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
|
||||||
|
|
||||||
|
Reported as
|
||||||
|
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610
|
||||||
|
|
||||||
|
* src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
|
||||||
|
|
||||||
2018-07-27 Werner Lemberg <wl@gnu.org>
|
2018-07-27 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
[truetype] Make `TT_Set_MM_Blend' idempotent (#54388).
|
[truetype] Make `TT_Set_MM_Blend' idempotent (#54388).
|
||||||
|
|
|
@ -270,9 +270,12 @@
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_FONT_NAME:
|
case PS_DICT_FONT_NAME:
|
||||||
retval = ft_strlen( type1->font_name ) + 1;
|
if ( type1->font_name )
|
||||||
if ( value && value_len >= retval )
|
{
|
||||||
ft_memcpy( value, (void *)( type1->font_name ), retval );
|
retval = ft_strlen( type1->font_name ) + 1;
|
||||||
|
if ( value && value_len >= retval )
|
||||||
|
ft_memcpy( value, (void *)( type1->font_name ), retval );
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_UNIQUE_ID:
|
case PS_DICT_UNIQUE_ID:
|
||||||
|
@ -362,7 +365,7 @@
|
||||||
ok = 1;
|
ok = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ok )
|
if ( ok && type1->subrs )
|
||||||
{
|
{
|
||||||
retval = type1->subrs_len[idx] + 1;
|
retval = type1->subrs_len[idx] + 1;
|
||||||
if ( value && value_len >= retval )
|
if ( value && value_len >= retval )
|
||||||
|
@ -559,33 +562,49 @@
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_VERSION:
|
case PS_DICT_VERSION:
|
||||||
retval = ft_strlen( type1->font_info.version ) + 1;
|
if ( type1->font_info.version )
|
||||||
if ( value && value_len >= retval )
|
{
|
||||||
ft_memcpy( value, (void *)( type1->font_info.version ), retval );
|
retval = ft_strlen( type1->font_info.version ) + 1;
|
||||||
|
if ( value && value_len >= retval )
|
||||||
|
ft_memcpy( value, (void *)( type1->font_info.version ), retval );
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_NOTICE:
|
case PS_DICT_NOTICE:
|
||||||
retval = ft_strlen( type1->font_info.notice ) + 1;
|
if ( type1->font_info.notice )
|
||||||
if ( value && value_len >= retval )
|
{
|
||||||
ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
|
retval = ft_strlen( type1->font_info.notice ) + 1;
|
||||||
|
if ( value && value_len >= retval )
|
||||||
|
ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_FULL_NAME:
|
case PS_DICT_FULL_NAME:
|
||||||
retval = ft_strlen( type1->font_info.full_name ) + 1;
|
if ( type1->font_info.full_name )
|
||||||
if ( value && value_len >= retval )
|
{
|
||||||
ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
|
retval = ft_strlen( type1->font_info.full_name ) + 1;
|
||||||
|
if ( value && value_len >= retval )
|
||||||
|
ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_FAMILY_NAME:
|
case PS_DICT_FAMILY_NAME:
|
||||||
retval = ft_strlen( type1->font_info.family_name ) + 1;
|
if ( type1->font_info.family_name )
|
||||||
if ( value && value_len >= retval )
|
{
|
||||||
ft_memcpy( value, (void *)( type1->font_info.family_name ), retval );
|
retval = ft_strlen( type1->font_info.family_name ) + 1;
|
||||||
|
if ( value && value_len >= retval )
|
||||||
|
ft_memcpy( value, (void *)( type1->font_info.family_name ),
|
||||||
|
retval );
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_WEIGHT:
|
case PS_DICT_WEIGHT:
|
||||||
retval = ft_strlen( type1->font_info.weight ) + 1;
|
if ( type1->font_info.weight )
|
||||||
if ( value && value_len >= retval )
|
{
|
||||||
ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
|
retval = ft_strlen( type1->font_info.weight ) + 1;
|
||||||
|
if ( value && value_len >= retval )
|
||||||
|
ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case PS_DICT_ITALIC_ANGLE:
|
case PS_DICT_ITALIC_ANGLE:
|
||||||
|
|
Loading…
Reference in New Issue