Commit Graph

4278 Commits

Author SHA1 Message Date
Werner Lemberg 933f4cbe79 [cff] Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2738

* src/cff/cf2hints.c (cf2_glyphpath_computeOffset,
cf2_glyphpath_curveTo): Use ADD_INT32.
2017-07-26 23:32:32 +02:00
Werner Lemberg 38bdf22bfe [truetype] Improve code comment. 2017-07-13 10:28:09 +02:00
Werner Lemberg fe0a7d9df5 [base] Fix memory leak.
Reported as

  https://bugs.chromium.org/p/chromium/issues/detail?id=738362

* src/base/ftglyph.c (FT_Get_Glyph): Do proper deallocation in case
of error.
2017-07-13 10:25:42 +02:00
Werner Lemberg 134de096e0 [base] Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2573

* src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use
FT_PIX_CEIL_LONG and FT_PIX_ROUND_LONG.
2017-07-12 22:16:37 +02:00
Werner Lemberg 3d083fc213 * src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo.
Also improve tracing message.

Problem reported as

  https://bugs.chromium.org/p/chromium/issues/detail?id=738919
2017-07-12 00:24:48 +02:00
Werner Lemberg 9ea83c7889 [cff] Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517

* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
2017-07-07 17:09:43 +02:00
Werner Lemberg cf8d9b4ce3 * src/sfnt/ttcmap.c (tt_cmap_unicode_class_rec): Fix warning. 2017-07-05 23:07:01 +02:00
Werner Lemberg 4261e497d8 * src/truetype/ttgxvar.c (FT_Stream_SeekSet): Fix warning (#51395). 2017-07-05 23:00:23 +02:00
Werner Lemberg 1c85479d2d [truetype] Prevent address overflow (#51365).
* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Add guard.
2017-07-04 08:08:54 +02:00
Alexei Podtelezhnikov c56d8851ea * src/base/ftlcdfil.c (ft_lcd_filter_fir): Improve code. 2017-07-03 22:49:07 -04:00
Werner Lemberg ca799e9be5 [truetype] Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2455

* src/truetype/ttinterp.c (Ins_SCFS): Use SUB_LONG.
2017-07-03 06:27:52 +02:00
Alexei Podtelezhnikov abeb28f161 * src/sfnt/sfobjs.c (sfnt_load_face): Ignore No_Unicode_Glyph_Name. 2017-07-01 16:48:32 -04:00
Ben Wagner 7819aeb622 Avoid Microsoft compiler warnings (#51331).
While clang's sanitizer recommends a cast to unsigned for safe
negation (to handle -INT_MIN), both MSVC and Visualc emit warning
C4146 if an unsigned value gets negated.

* include/freetype/internal/ftcalc.h (NEG_LONG, NEG_INT32),
src/base/ftcalc.c (FT_MOVE_SIGN): Replace negation with a
subtraction.
2017-06-28 22:57:41 +02:00
Werner Lemberg 2e7bb5e825 * src/cff/cffparse.c (do_fixed): Fix typo.
Spotted by chris <chris@gcjd.org>.
2017-06-27 16:56:38 +02:00
Werner Lemberg dde8f5abbe [truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391

* src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use
NEG_LONG.

* src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
2017-06-27 06:16:04 +02:00
Werner Lemberg b27cef27ff [truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364

* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
2017-06-24 20:17:46 +02:00
Werner Lemberg 298e2ea5a6 [cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328

* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
SUB_INT32.

* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
2017-06-22 11:52:43 +02:00
Alexei Podtelezhnikov 75cb071b3f [sfnt] Synthesize a Unicode charmap if one is missing.
* src/sfnt/ttcmap.h (tt_cmap_unicode_class_rec): Declare it.
* src/sfnt/ttcmap.c (tt_get_glyph_name, tt_cmap_unicode_init,
tt_cmap_unicode_done, tt_cmap_unicode_char_index,
tt_cmap_unicode_char_next, tt_cmap_unicode_class_rec): Implement
synthetic Unicode charmap class.
(tt_get_cmap_info): Make sure the callback is available.

* src/sfnt/sfobjs.c (sfnt_load_face)
[FT_CONFIG_OPTION_POSTSCRIPT_NAMES]: If Unicode charmap is missing,
synthesize one.

* include/freetype/config/ftoption.h: Document it.
* devel/ftoption.h: Ditto.
2017-06-21 22:52:37 -04:00
Werner Lemberg 390048fa46 Remove deprecated comment. 2017-06-20 18:03:20 +02:00
Werner Lemberg 8c763fb1be [cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2300
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2313

* src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use ADD_INT32.

* src/truetype/ttinterp.c (Ins_ABS): Avoid FT_ABS.
2017-06-20 07:49:52 +02:00
Alexei Podtelezhnikov 7b7278334c [base, smooth] LCD filtering cleanups.
* src/base/ftlcdlil.c (ft_lcd_filter_fir, _ft_lcd_filter_legacy):
Clean up, start filtering from the bottom-left origin.

* src/smooth/ftsmooth.c (ft_smooth_render_generic): Updated.
2017-06-17 23:28:14 -04:00
Werner Lemberg 4dc00cf5c0 [truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2270
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2278

* src/truetype/ttinterp.c (Ins_MDRP, _iup_worker_interpolate): Use
ADD_LONG and SUB_LONG.
2017-06-16 13:33:09 +02:00
Werner Lemberg dbeb7bce7f [bdf, cff] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261

* src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with
direct code to avoid value negation.

* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and
ADD_INT32.
2017-06-15 19:39:50 +02:00
Werner Lemberg 79e3789f81 * src/winfonts/winfnt.c (FNT_Face_Init): Don't set active encoding.
FreeType only sets a default active encoding for Unicode.
2017-06-14 07:51:04 +02:00
Werner Lemberg 5c402d97af [cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218

* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.

* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
2017-06-13 06:56:48 +02:00
Werner Lemberg 3ed3a96181 [cff] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2200
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2210

* src/cff/cf2hints.c (cf2_hintmap_insertHint): Use SUB_INT32 and
ADD_INT32.

* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdVMOVETO>: Use
ADD_INT32.
2017-06-11 13:50:37 +02:00
Werner Lemberg 5f2a72cbc7 [truetype] Fix TT_Set_Var_Design.
Reported by Nikolaus Waxweiler <madigens@gmail.com>.

* src/truetype/ttgxvar.c (TT_Set_Var_Design): Correctly handle the
case where we have less input coordinates than axes.
2017-06-10 11:29:24 +02:00
Werner Lemberg 2c4fba9c91 * src/base/ftcalc.c (FT_DivFix): Fix embarrassing typo.
Bug introduced 2017-05-28.
2017-06-10 11:03:41 +02:00
Werner Lemberg 9038837ee2 [cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2144
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2151
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2153
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2173
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2186

* src/cff/cf2blues.c (cf2_blues_init): Use SUB_INT32.

* src/truetype/ttinterp.c (Round_None, Round_To_Grid,
Round_To_Half_Grid, Round_Down_To_Grid, Round_Up_To_Grid,
Round_To_Double_Grid, Round_Super, Round_Super_45): Use ADD_LONG,
SUB_LONG, NEG_LONG, FT_PIX_ROUND_LONG, FT_PIX_CEIL_LONG,
FT_PAD_ROUND_LONG
(Ins_SxVTL, Ins_MIRP): Use SUB_LONG.
(_iup_worker_shift): Use SUB_LONG and ADD_LONG.
2017-06-09 20:42:46 +02:00
Werner Lemberg dcd8de272f */*: Remove `OVERFLOW_' prefix.
This increases readability.
2017-06-09 11:21:58 +02:00
Werner Lemberg 7bffeacd7e [cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2133
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2137

* src/cff/cf2hints.c (cf2_hint_init): Use OVERFLOW_SUB_INT32.

* src/truetype/ttinterp.c (PROJECT, DUALPROJ): Use
OVERFLOW_SUB_LONG.
2017-06-07 17:08:01 +02:00
Werner Lemberg 24848a3d58 [cff] Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122

* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.

* src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else
branches.
2017-06-06 12:05:04 +02:00
Werner Lemberg 8667042997 [cff] Integer overflow.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089

* src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
2017-06-05 06:20:53 +02:00
Werner Lemberg 9fa8a2997f [cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2075
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2088

* src/cff/cf2font.c (cf2_font_setup): Use OVERFLOW_MUL_INT32.

* src/truetype/ttinterp.c (Ins_ISECT): Use OVERFLOW_MUL_LONG,
OVERFLOW_ADD_LONG, and OVERFLOW_SUB_LONG.
2017-06-04 20:43:08 +02:00
Werner Lemberg addb2dddb6 [base, cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2060
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2062
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2063
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2068

* src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.

* src/cff/cf2blues.c (cf2_blues_capture), src/cff/cf2hints.c
(cf2_hintmap_adjustHints): Use OVERFLOW_SUB_INT32.

* src/truetype/ttgload.c (compute_glyph_metrics): User
OVERFLOW_SUB_LONG.

* src/truetype/ttinterp.c (Direct_Move, Direct_Move_Orig,
Direct_Move_X, Direct_Move_Y, Direct_Move_Orig_X,
Direct_Move_Orig_Y, Move_Zp2_Point, Ins_MSIRP): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
2017-06-03 21:05:42 +02:00
Werner Lemberg 2c2e6403b7 [bdf] Synchronize sanity checks with pcf driver.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2054
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2058

* src/bdf/bdfdrivr.c (BDF_Face_Init): Check font ascent and descent.
Check AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE, RESOLUTION_X, and
RESOLUTION_Y properties.
2017-06-03 07:38:11 +02:00
Werner Lemberg 1ea343228d [cff, truetype] Integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057

* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.

* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
2017-06-03 06:52:13 +02:00
Werner Lemberg 0716c6ab7a [cff] Even more integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046

* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
OVERFLOW_ADD_INT32.
2017-06-02 19:24:03 +02:00
Werner Lemberg 7a4276fb90 [cff] More integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2032

* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
2017-06-02 09:21:37 +02:00
Werner Lemberg 03b0cc2ea9 [bdf] Don't left-shift negative numbers.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2031

* src/bdf/bdfdrivr.c (BDF_Face_Init): Use multiplication.
2017-06-02 09:16:52 +02:00
Werner Lemberg 47a03e9b23 [bdf] Fix integer scanning routines.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2029

* src/bdf/bdflib.c (_bdf_atoul, _bdf_atol, _bdf_atous, _bdf_atos):
Stop scanning if result would overflow.
2017-06-02 09:06:36 +02:00
Werner Lemberg 3802ca8b64 [cff] Fix integer overflows.
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028

* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
2017-06-02 08:44:20 +02:00
Werner Lemberg cd02d359a6 [smooth] Some 32bit integer overflow run-time errors.
* src/smooth/ftgrays.c [STANDALONE] (OVERFLOW_ADD_LONG,
OVERFLOW_SUB_LONG, OVERFLOW_MUL_LONG, NEG_LONG): New macros.
[!STANDALONE]: Include FT_INTERNAL_CALC_H.
(gray_render_cubic): Use those macros where appropriate.
2017-06-01 17:05:39 +02:00
Werner Lemberg 0ad3262366 * src/base/ftglyph.c (FT_Get_Glyph): Check `slot->advance'. 2017-06-01 17:00:37 +02:00
Werner Lemberg 4a1f1a6d2a [psaux] 32bit integer overflow tun-time errors (#46149).
* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG where appropriate.
2017-06-01 13:15:54 +02:00
Werner Lemberg 8d435c463d * src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again.
Problem reported by Marek Kašík <mkasik@redhat.com>.

The problematic font that exceeds the old limit is Padauk-Bold,
version 3.002, containing bytecode generated by a buggy version of
ttfautohint.
2017-06-01 07:09:44 +02:00
Werner Lemberg e66d7300fe [cff] 32bit integer overflow run-time errors 2/2 (#46149).
This commit handles the new engine.

* include/freetype/internal/ftcalc.h (OVERFLOW_ADD_INT32,
OVERFLOW_SUB_INT32, OVERFLOW_MUL_INT32, NEG_INT, NEG_LONG,
NEG_INT32): New macros.

* src/cff/cf2ft.c (cf2_getScaleAndHintFlag): Use OVERFLOW_ADD_INT32.

* src/cff/cf2hints.c (cf2_getWindingMomentum, cf2_hint_init,
cf2_hintmap_map, cf2_glyphpath_hintPoint,
cf2_glyphpath_computeIntersection, cf2_glyphpath_computeOffset,
cf2_glyphpath_lineTo, cf2_glyphpath_curveTo): Use
OVERFLOW_ADD_INT32, OVERFLOW_SUB_INT32, OVERFLOW_MUL_INT32, and
NEG_INT32 where appropriate.

* src/cff/cf2intrp.c (cf2_doFlex, cf2_doBlend,
cf2_interpT2CharString): Ditto.
Also add some other code where needed to avoid overflow.
2017-05-31 16:16:50 +02:00
Werner Lemberg 9b710cd56e [cff] 32bit integer overflow run-time errors 1/2 (#46149).
This commit handles the old engine.

* src/cff/cffgload.c: Include FT_INTERNAL_CALC_H.
(cff_decoder_parse_charstrings): Use OVERFLOW_ADD_LONG and
OVERFLOW_SUB_LONG where needed.

* src/cff/cffparse.c: Include FT_INTERNAL_CALC_H.
(power_ten_limits): New static array.
(do_fixed): Use it to prevent multiplication overflow.
(cff_parser_run): Use OVERFLOW_ADD_LONG.
2017-05-30 22:35:41 +02:00
Werner Lemberg 0e7b9f864f [psaux] Correctly handle sequences of multiple number signs.
* src/psaux/psconv.c (PS_Conv_Strtol, PS_Conv_ToFixed): Return zero
if we encounter more than a single sign.
2017-05-30 22:22:19 +02:00
Werner Lemberg f01463297f [pcf] 32bit integer overflow run-time errors (#46149).
* src/pcf/pcfread.c (pcf_get_accel): Add sanity checks for
`fontAscent' and `fontDescent'.
(pcf_load_font): Add sanity checks for global height.
Add sanity checks for AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE,
RESOLUTION_X, and RESOLUTION_Y properties.
2017-05-29 21:04:27 +02:00