From 7a493e3a404cd04ad2d798e985d7441bd2d955ea Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 8 Jan 2022 10:28:19 +0100 Subject: [PATCH] [sfnt, type42] Correct previous commit. Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773. * src/sfnt/ttload.c (check_table_dir): Revert change. * src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but `FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access while handling malformed TrueType fonts later on. --- src/sfnt/ttload.c | 2 +- src/type42/t42parse.c | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index 184e43ec2..51416d80b 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -200,7 +200,7 @@ for ( nn = 0; nn < sfnt->num_tables; nn++ ) { - TT_TableRec table = { 0, 0, 0, 0 }; + TT_TableRec table; if ( FT_STREAM_READ_FIELDS( table_dir_entry_fields, &table ) ) diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index ea2c5198a..0407b1a11 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -718,7 +718,9 @@ goto Fail; } - if ( FT_QREALLOC( face->ttf_data, 12, face->ttf_size ) ) + /* To handle bad fonts with an invalid table directory */ + /* we don't use `FT_QREALLOC` here. */ + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ @@ -767,8 +769,13 @@ FT_TRACE2(( " allocating %ld bytes\n", face->ttf_size + 1 )); FT_TRACE2(( "\n" )); - if ( FT_QREALLOC( face->ttf_data, 12 + 16 * num_tables, - face->ttf_size + 1 ) ) + /* To handle bad fonts we don't use `FT_QREALLOC` here: */ + /* chances are high that due to incorrect values in the */ + /* table directory the computation of `ttf_size` would be */ + /* incorrect otherwise, causing run-time errors because of */ + /* accessing uninitialized memory. */ + if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, + face->ttf_size + 1 ) ) goto Fail; } /* fall through */