[psaux] Fix handling of invalid flex subrs.
Problem reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52 * src/psaux/t1decode.c (t1_decoder_parse_charstrings) <op_callothersubr>: Set `flex_state' after error checking.
This commit is contained in:
parent
922812281c
commit
9c54d1246a
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,14 @@
|
||||||
|
2016-10-11 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[psaux] Fix handling of invalid flex subrs.
|
||||||
|
|
||||||
|
Problem reported as
|
||||||
|
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52
|
||||||
|
|
||||||
|
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
|
||||||
|
<op_callothersubr>: Set `flex_state' after error checking.
|
||||||
|
|
||||||
2016-10-11 Werner Lemberg <wl@gnu.org>
|
2016-10-11 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
* src/truetype/ttgxvar.c (tt_done_blend): Fix deallocation.
|
* src/truetype/ttgxvar.c (tt_done_blend): Fix deallocation.
|
||||||
|
|
|
@ -734,7 +734,7 @@
|
||||||
if ( arg_cnt != 3 )
|
if ( arg_cnt != 3 )
|
||||||
goto Unexpected_OtherSubr;
|
goto Unexpected_OtherSubr;
|
||||||
|
|
||||||
if ( decoder->flex_state == 0 ||
|
if ( !decoder->flex_state ||
|
||||||
decoder->num_flex_vectors != 7 )
|
decoder->num_flex_vectors != 7 )
|
||||||
{
|
{
|
||||||
FT_ERROR(( "t1_decoder_parse_charstrings:"
|
FT_ERROR(( "t1_decoder_parse_charstrings:"
|
||||||
|
@ -752,13 +752,14 @@
|
||||||
if ( arg_cnt != 0 )
|
if ( arg_cnt != 0 )
|
||||||
goto Unexpected_OtherSubr;
|
goto Unexpected_OtherSubr;
|
||||||
|
|
||||||
|
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
||||||
|
!= FT_Err_Ok ||
|
||||||
|
( error = t1_builder_check_points( builder, 6 ) )
|
||||||
|
!= FT_Err_Ok )
|
||||||
|
goto Fail;
|
||||||
|
|
||||||
decoder->flex_state = 1;
|
decoder->flex_state = 1;
|
||||||
decoder->num_flex_vectors = 0;
|
decoder->num_flex_vectors = 0;
|
||||||
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
|
||||||
!= FT_Err_Ok ||
|
|
||||||
( error = t1_builder_check_points( builder, 6 ) )
|
|
||||||
!= FT_Err_Ok )
|
|
||||||
goto Fail;
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 2: /* add flex vectors */
|
case 2: /* add flex vectors */
|
||||||
|
@ -769,7 +770,7 @@
|
||||||
if ( arg_cnt != 0 )
|
if ( arg_cnt != 0 )
|
||||||
goto Unexpected_OtherSubr;
|
goto Unexpected_OtherSubr;
|
||||||
|
|
||||||
if ( decoder->flex_state == 0 )
|
if ( !decoder->flex_state )
|
||||||
{
|
{
|
||||||
FT_ERROR(( "t1_decoder_parse_charstrings:"
|
FT_ERROR(( "t1_decoder_parse_charstrings:"
|
||||||
" missing flex start\n" ));
|
" missing flex start\n" ));
|
||||||
|
@ -1222,9 +1223,9 @@
|
||||||
FT_TRACE4(( " hvcurveto" ));
|
FT_TRACE4(( " hvcurveto" ));
|
||||||
|
|
||||||
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
||||||
!= FT_Err_Ok ||
|
!= FT_Err_Ok ||
|
||||||
( error = t1_builder_check_points( builder, 3 ) )
|
( error = t1_builder_check_points( builder, 3 ) )
|
||||||
!= FT_Err_Ok )
|
!= FT_Err_Ok )
|
||||||
goto Fail;
|
goto Fail;
|
||||||
|
|
||||||
x += top[0];
|
x += top[0];
|
||||||
|
@ -1269,9 +1270,9 @@
|
||||||
FT_TRACE4(( " rrcurveto" ));
|
FT_TRACE4(( " rrcurveto" ));
|
||||||
|
|
||||||
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
||||||
!= FT_Err_Ok ||
|
!= FT_Err_Ok ||
|
||||||
( error = t1_builder_check_points( builder, 3 ) )
|
( error = t1_builder_check_points( builder, 3 ) )
|
||||||
!= FT_Err_Ok )
|
!= FT_Err_Ok )
|
||||||
goto Fail;
|
goto Fail;
|
||||||
|
|
||||||
x += top[0];
|
x += top[0];
|
||||||
|
@ -1291,9 +1292,9 @@
|
||||||
FT_TRACE4(( " vhcurveto" ));
|
FT_TRACE4(( " vhcurveto" ));
|
||||||
|
|
||||||
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
if ( ( error = t1_builder_start_point( builder, x, y ) )
|
||||||
!= FT_Err_Ok ||
|
!= FT_Err_Ok ||
|
||||||
( error = t1_builder_check_points( builder, 3 ) )
|
( error = t1_builder_check_points( builder, 3 ) )
|
||||||
!= FT_Err_Ok )
|
!= FT_Err_Ok )
|
||||||
goto Fail;
|
goto Fail;
|
||||||
|
|
||||||
y += top[0];
|
y += top[0];
|
||||||
|
|
Loading…
Reference in New Issue