From b03c4a0a3f033dc1477404193734b964b4647a35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dirk=20M=C3=BCller?= Date: Fri, 22 Jul 2011 05:24:11 +0200 Subject: [PATCH] [psaux, type1] Fix null pointer dereferences. Found with font fuzzying. * src/psaux/t1decode.c (t1_decoder_parse_charstrings): Check `decoder->buildchar'. * src/type1/t1load.c (t1_load_keyword): Check `blend->num_designs'. --- ChangeLog | 11 +++++++++++ src/psaux/t1decode.c | 2 +- src/type1/t1load.c | 6 ++++-- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 23f1194c7..b25b62905 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2011-07-22 Dirk Müller + + [psaux, type1] Fix null pointer dereferences. + + Found with font fuzzying. + + * src/psaux/t1decode.c (t1_decoder_parse_charstrings): Check + `decoder->buildchar'. + + * src/type1/t1load.c (t1_load_keyword): Check `blend->num_designs'. + 2011-07-20 Chris Morgan Add FT_CONFIG_OPTION_DISABLE_STREAM_SUPPORT. diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c index daeea1e7e..90874f022 100644 --- a/src/psaux/t1decode.c +++ b/src/psaux/t1decode.c @@ -397,7 +397,7 @@ FT_ASSERT( ( decoder->len_buildchar == 0 ) == ( decoder->buildchar == NULL ) ); - if ( decoder->len_buildchar > 0 ) + if ( decoder->buildchar && decoder->len_buildchar > 0 ) ft_memset( &decoder->buildchar[0], 0, sizeof( decoder->buildchar[0] ) * decoder->len_buildchar ); diff --git a/src/type1/t1load.c b/src/type1/t1load.c index 09fe6adf5..38c74b277 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -4,8 +4,7 @@ /* */ /* Type 1 font loader (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, */ -/* 2010 by */ +/* Copyright 1996-2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -922,6 +921,9 @@ PS_Blend blend = face->blend; + if ( blend && blend->num_designs == 0 ) + blend = NULL; + /* if the keyword has a dedicated callback, call it */ if ( field->type == T1_FIELD_TYPE_CALLBACK ) {