From e9a154e70015e602d695d65a588ecb38f5bb38cc Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 31 Dec 2016 21:41:08 +0100 Subject: [PATCH] [truetype] Check axis count in HVAR table. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=362 * src/truetype/ttgxvar.c (ft_var_load_hvar): Check axis count. (ft_var_load_avar): Fix tracing message. --- ChangeLog | 13 ++++++++++++- src/truetype/ttgxvar.c | 10 +++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 23f574823..df3626970 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,15 @@ -2016-09-08 Werner Lemberg +2016-12-31 Werner Lemberg + + [truetype] Check axis count in HVAR table. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=362 + + * src/truetype/ttgxvar.c (ft_var_load_hvar): Check axis count. + (ft_var_load_avar): Fix tracing message. + +2016-12-30 Werner Lemberg * Version 2.7.1 released. ========================= diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index cf4f7b17a..768987027 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -346,7 +346,7 @@ if ( axisCount != (FT_Long)blend->mmvar->num_axis ) { - FT_TRACE2(( "ft_var_load_avar: number of axes in `avar' and `cvar'\n" + FT_TRACE2(( "ft_var_load_avar: number of axes in `avar' and `fvar'\n" " table are different\n" )); goto Exit; } @@ -521,6 +521,14 @@ FT_READ_USHORT( itemStore->regionCount ) ) goto Exit; + if ( itemStore->axisCount != (FT_Long)blend->mmvar->num_axis ) + { + FT_TRACE2(( "ft_var_load_hvar: number of axes in `hvar' and `fvar'\n" + " table are different\n" )); + error = FT_THROW( Invalid_Table ); + goto Exit; + } + if ( FT_NEW_ARRAY( itemStore->varRegionList, itemStore->regionCount ) ) goto Exit;