ReceiveTempSMS
/
Al-Qurtas-Islamic-bank-The-Best-Bank-in-Iraq
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[truetype] Sanitize only last entry of `loca' table. 

Without this patch, a loca sequence like `0 100000 0 100000 ...',
where value 100000 is larger than the `glyf' table size, makes
FreeType handle the whole `glyf' table as a single glyph again and
again, which is certainly invalid (and can be very slow, too).

* src/truetype/ttpload.c (tt_face_get_location): Implement.
Improve tracing messages.
This commit is contained in:
Werner Lemberg 2016-09-25 16:29:05 +02:00
parent d11e8b6e6d
commit a764963f26
2 changed files with 35 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ChangeLog
View File

@ -1,3 +1,15 @@
2016-09-25 Werner Lemberg <wl@gnu.org>
[truetype] Sanitize only last entry of `loca' table.
Without this patch, a loca sequence like `0 100000 0 100000 ...',
where value 100000 is larger than the `glyf' table size, makes
FreeType handle the whole `glyf' table as a single glyph again and
again, which is certainly invalid (and can be very slow, too).
* src/truetype/ttpload.c (tt_face_get_location): Implement.
Improve tracing messages.
2016-09-25 Werner Lemberg <wl@gnu.org> 2016-09-25 Werner Lemberg <wl@gnu.org>
* src/tools/ftfuzzer/ftfuzzer.cc (LLVMFuzzerTestOneInput): Fix typo. * src/tools/ftfuzzer/ftfuzzer.cc (LLVMFuzzerTestOneInput): Fix typo.

24
src/truetype/ttpload.c
View File

@ -222,27 +222,41 @@
} }
} }
/* Check broken location data */ /* Check broken location data. */
if ( pos1 > face->glyf_len ) if ( pos1 > face->glyf_len )
{ {
FT_TRACE1(( "tt_face_get_location:" FT_TRACE1(( "tt_face_get_location:"
" too large offset=0x%08lx found for gid=0x%04lx,\n" " too large offset (0x%08lx) found for glyph index %ld,\n"
" " " "
" exceeding the end of glyf table (0x%08lx)\n", " exceeding the end of `glyf' table (0x%08lx)\n",
pos1, gindex, face->glyf_len )); pos1, gindex, face->glyf_len ));
*asize = 0; *asize = 0;
return 0; return 0;
} }
if ( pos2 > face->glyf_len ) if ( pos2 > face->glyf_len )
{
/* We try to sanitize the last `loca' entry. */
if ( gindex == face->num_locations - 1 )
{ {
FT_TRACE1(( "tt_face_get_location:" FT_TRACE1(( "tt_face_get_location:"
" too large offset=0x%08lx found for gid=0x%04lx,\n" " too large offset (0x%08lx) found for glyph index %ld,\n"
" " " "
" truncate at the end of glyf table (0x%08lx)\n", " truncating at the end of `glyf' table (0x%08lx)\n",
pos2, gindex + 1, face->glyf_len )); pos2, gindex + 1, face->glyf_len ));
pos2 = face->glyf_len; pos2 = face->glyf_len;
} }
else
{
FT_TRACE1(( "tt_face_get_location:"
" too large offset (0x%08lx) found for glyph index %ld,\n"
" "
" exceeding the end of `glyf' table (0x%08lx)\n",
pos2, gindex + 1, face->glyf_len ));
*asize = 0;
return 0;
}
}
/* The `loca' table must be ordered; it refers to the length of */ /* The `loca' table must be ordered; it refers to the length of */
/* an entry as the difference between the current and the next */ /* an entry as the difference between the current and the next */