Werner Lemberg
933f4cbe79
[cff] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2738
* src/cff/cf2hints.c (cf2_glyphpath_computeOffset,
cf2_glyphpath_curveTo): Use ADD_INT32.
2017-07-26 23:32:32 +02:00
Werner Lemberg
38bdf22bfe
[truetype] Improve code comment.
2017-07-13 10:28:09 +02:00
Werner Lemberg
fe0a7d9df5
[base] Fix memory leak.
...
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=738362
* src/base/ftglyph.c (FT_Get_Glyph): Do proper deallocation in case
of error.
2017-07-13 10:25:42 +02:00
Werner Lemberg
134de096e0
[base] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2573
* src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use
FT_PIX_CEIL_LONG and FT_PIX_ROUND_LONG.
2017-07-12 22:16:37 +02:00
Werner Lemberg
3d083fc213
* src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo.
...
Also improve tracing message.
Problem reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=738919
2017-07-12 00:24:48 +02:00
Werner Lemberg
9ea83c7889
[cff] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2517
* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32.
2017-07-07 17:09:43 +02:00
Werner Lemberg
cf8d9b4ce3
* src/sfnt/ttcmap.c (tt_cmap_unicode_class_rec): Fix warning.
2017-07-05 23:07:01 +02:00
Werner Lemberg
4261e497d8
* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Fix warning ( #51395 ).
2017-07-05 23:00:23 +02:00
Werner Lemberg
1c85479d2d
[truetype] Prevent address overflow ( #51365 ).
...
* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Add guard.
2017-07-04 08:08:54 +02:00
Alexei Podtelezhnikov
c56d8851ea
* src/base/ftlcdfil.c (ft_lcd_filter_fir): Improve code.
2017-07-03 22:49:07 -04:00
Werner Lemberg
ca799e9be5
[truetype] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2455
* src/truetype/ttinterp.c (Ins_SCFS): Use SUB_LONG.
2017-07-03 06:27:52 +02:00
Alexei Podtelezhnikov
abeb28f161
* src/sfnt/sfobjs.c (sfnt_load_face): Ignore No_Unicode_Glyph_Name.
2017-07-01 16:48:32 -04:00
Ben Wagner
7819aeb622
Avoid Microsoft compiler warnings ( #51331 ).
...
While clang's sanitizer recommends a cast to unsigned for safe
negation (to handle -INT_MIN), both MSVC and Visualc emit warning
C4146 if an unsigned value gets negated.
* include/freetype/internal/ftcalc.h (NEG_LONG, NEG_INT32),
src/base/ftcalc.c (FT_MOVE_SIGN): Replace negation with a
subtraction.
2017-06-28 22:57:41 +02:00
Werner Lemberg
2e7bb5e825
* src/cff/cffparse.c (do_fixed): Fix typo.
...
Spotted by chris <chris@gcjd.org>.
2017-06-27 16:56:38 +02:00
Werner Lemberg
dde8f5abbe
[truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2384
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2391
* src/base/ftcalc.c (FT_MulDiv, FT_MulDiv_No_Round, FT_DivFix): Use
NEG_LONG.
* src/truetype/ttinterp.c (Ins_SxVTL): Use NEG_LONG.
2017-06-27 06:16:04 +02:00
Werner Lemberg
b27cef27ff
[truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2364
* src/truetype/ttinterp.c (Ins_ISECT): Use NEG_LONG.
2017-06-24 20:17:46 +02:00
Werner Lemberg
298e2ea5a6
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2323
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2328
* src/cff/cf2blues.c (cf2_blues_capture): Use ADD_INT32 and
SUB_INT32.
* src/truetype/ttinterp.c (Ins_SDPVTL): Use SUB_LONG and NEG_LONG.
2017-06-22 11:52:43 +02:00
Alexei Podtelezhnikov
75cb071b3f
[sfnt] Synthesize a Unicode charmap if one is missing.
...
* src/sfnt/ttcmap.h (tt_cmap_unicode_class_rec): Declare it.
* src/sfnt/ttcmap.c (tt_get_glyph_name, tt_cmap_unicode_init,
tt_cmap_unicode_done, tt_cmap_unicode_char_index,
tt_cmap_unicode_char_next, tt_cmap_unicode_class_rec): Implement
synthetic Unicode charmap class.
(tt_get_cmap_info): Make sure the callback is available.
* src/sfnt/sfobjs.c (sfnt_load_face)
[FT_CONFIG_OPTION_POSTSCRIPT_NAMES]: If Unicode charmap is missing,
synthesize one.
* include/freetype/config/ftoption.h: Document it.
* devel/ftoption.h: Ditto.
2017-06-21 22:52:37 -04:00
Werner Lemberg
390048fa46
Remove deprecated comment.
2017-06-20 18:03:20 +02:00
Werner Lemberg
8c763fb1be
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2300
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2313
* src/cff/cf2hints.c (cf2_hintmap_adjustHints): Use ADD_INT32.
* src/truetype/ttinterp.c (Ins_ABS): Avoid FT_ABS.
2017-06-20 07:49:52 +02:00
Alexei Podtelezhnikov
7b7278334c
[base, smooth] LCD filtering cleanups.
...
* src/base/ftlcdlil.c (ft_lcd_filter_fir, _ft_lcd_filter_legacy):
Clean up, start filtering from the bottom-left origin.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Updated.
2017-06-17 23:28:14 -04:00
Werner Lemberg
4dc00cf5c0
[truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2270
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2278
* src/truetype/ttinterp.c (Ins_MDRP, _iup_worker_interpolate): Use
ADD_LONG and SUB_LONG.
2017-06-16 13:33:09 +02:00
Werner Lemberg
dbeb7bce7f
[bdf, cff] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2244
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2261
* src/bdf/bdfdrivr.c (BDF_Face_Init): Replace calls to FT_ABS with
direct code to avoid value negation.
* src/cff/cf2blues.c (cf2_blues_capture): Use SUB_INT32 and
ADD_INT32.
2017-06-15 19:39:50 +02:00
Werner Lemberg
79e3789f81
* src/winfonts/winfnt.c (FNT_Face_Init): Don't set active encoding.
...
FreeType only sets a default active encoding for Unicode.
2017-06-14 07:51:04 +02:00
Werner Lemberg
5c402d97af
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2216
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2218
* src/cff/cf2fixed.h (cf2_fixedAbs): Use NEG_INT32.
* src/truetype/ttinterp.c (Ins_IP): Use SUB_LONG.
2017-06-13 06:56:48 +02:00
Werner Lemberg
3ed3a96181
[cff] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2200
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2210
* src/cff/cf2hints.c (cf2_hintmap_insertHint): Use SUB_INT32 and
ADD_INT32.
* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdVMOVETO>: Use
ADD_INT32.
2017-06-11 13:50:37 +02:00
Werner Lemberg
5f2a72cbc7
[truetype] Fix TT_Set_Var_Design.
...
Reported by Nikolaus Waxweiler <madigens@gmail.com>.
* src/truetype/ttgxvar.c (TT_Set_Var_Design): Correctly handle the
case where we have less input coordinates than axes.
2017-06-10 11:29:24 +02:00
Werner Lemberg
2c4fba9c91
* src/base/ftcalc.c (FT_DivFix): Fix embarrassing typo.
...
Bug introduced 2017-05-28.
2017-06-10 11:03:41 +02:00
Werner Lemberg
9038837ee2
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2144
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2151
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2153
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2173
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2186
* src/cff/cf2blues.c (cf2_blues_init): Use SUB_INT32.
* src/truetype/ttinterp.c (Round_None, Round_To_Grid,
Round_To_Half_Grid, Round_Down_To_Grid, Round_Up_To_Grid,
Round_To_Double_Grid, Round_Super, Round_Super_45): Use ADD_LONG,
SUB_LONG, NEG_LONG, FT_PIX_ROUND_LONG, FT_PIX_CEIL_LONG,
FT_PAD_ROUND_LONG
(Ins_SxVTL, Ins_MIRP): Use SUB_LONG.
(_iup_worker_shift): Use SUB_LONG and ADD_LONG.
2017-06-09 20:42:46 +02:00
Werner Lemberg
dcd8de272f
*/*: Remove `OVERFLOW_' prefix.
...
This increases readability.
2017-06-09 11:21:58 +02:00
Werner Lemberg
7bffeacd7e
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2133
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2137
* src/cff/cf2hints.c (cf2_hint_init): Use OVERFLOW_SUB_INT32.
* src/truetype/ttinterp.c (PROJECT, DUALPROJ): Use
OVERFLOW_SUB_LONG.
2017-06-07 17:08:01 +02:00
Werner Lemberg
24848a3d58
[cff] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2109
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2110
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2122
* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
* src/cff/cf2hints.c (cf2_hintmap_map): Synchronize if-else
branches.
2017-06-06 12:05:04 +02:00
Werner Lemberg
8667042997
[cff] Integer overflow.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2089
* src/cff/cffload.c (cff_blend_doBlend): User OVERFLOW_ADD_INT32.
2017-06-05 06:20:53 +02:00
Werner Lemberg
9fa8a2997f
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2075
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2088
* src/cff/cf2font.c (cf2_font_setup): Use OVERFLOW_MUL_INT32.
* src/truetype/ttinterp.c (Ins_ISECT): Use OVERFLOW_MUL_LONG,
OVERFLOW_ADD_LONG, and OVERFLOW_SUB_LONG.
2017-06-04 20:43:08 +02:00
Werner Lemberg
addb2dddb6
[base, cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2060
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2062
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2063
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2068
* src/base/ftobjs.c (ft_glyphslot_grid_fit_metrics): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
* src/cff/cf2blues.c (cf2_blues_capture), src/cff/cf2hints.c
(cf2_hintmap_adjustHints): Use OVERFLOW_SUB_INT32.
* src/truetype/ttgload.c (compute_glyph_metrics): User
OVERFLOW_SUB_LONG.
* src/truetype/ttinterp.c (Direct_Move, Direct_Move_Orig,
Direct_Move_X, Direct_Move_Y, Direct_Move_Orig_X,
Direct_Move_Orig_Y, Move_Zp2_Point, Ins_MSIRP): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG.
2017-06-03 21:05:42 +02:00
Werner Lemberg
2c2e6403b7
[bdf] Synchronize sanity checks with pcf driver.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2054
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2058
* src/bdf/bdfdrivr.c (BDF_Face_Init): Check font ascent and descent.
Check AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE, RESOLUTION_X, and
RESOLUTION_Y properties.
2017-06-03 07:38:11 +02:00
Werner Lemberg
1ea343228d
[cff, truetype] Integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2047
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2057
* src/cff/cf2hints.c (cf2_hintmap_map): Use OVERFLOW_SUB_INT32.
* src/truetype/ttinterp.c (Ins_ADD): Use OVERFLOW_ADD_LONG.
(Ins_SUB): Use OVERFLOW_SUB_LONG.
(Ins_NEG): Use NEG_LONG.
2017-06-03 06:52:13 +02:00
Werner Lemberg
0716c6ab7a
[cff] Even more integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2046
* src/cff/cf2intrp.c (cf2_doStems, cf2_interpT2CharString): Use
OVERFLOW_ADD_INT32.
2017-06-02 19:24:03 +02:00
Werner Lemberg
7a4276fb90
[cff] More integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2032
* src/cff/cf2blues.c (cf2_blues_init): Use OVERFLOW_SUB_INT32.
2017-06-02 09:21:37 +02:00
Werner Lemberg
03b0cc2ea9
[bdf] Don't left-shift negative numbers.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2031
* src/bdf/bdfdrivr.c (BDF_Face_Init): Use multiplication.
2017-06-02 09:16:52 +02:00
Werner Lemberg
47a03e9b23
[bdf] Fix integer scanning routines.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2029
* src/bdf/bdflib.c (_bdf_atoul, _bdf_atol, _bdf_atous, _bdf_atos):
Stop scanning if result would overflow.
2017-06-02 09:06:36 +02:00
Werner Lemberg
3802ca8b64
[cff] Fix integer overflows.
...
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2028
* src/cff/cf2hints.c (cf2_hintmap_insertHint), src/cff/cf2intrp.c
(cf2_doFlex): Use OVERFLOW_ADD_INT32 and OVERFLOW_SUB_INT32.
2017-06-02 08:44:20 +02:00
Werner Lemberg
cd02d359a6
[smooth] Some 32bit integer overflow run-time errors.
...
* src/smooth/ftgrays.c [STANDALONE] (OVERFLOW_ADD_LONG,
OVERFLOW_SUB_LONG, OVERFLOW_MUL_LONG, NEG_LONG): New macros.
[!STANDALONE]: Include FT_INTERNAL_CALC_H.
(gray_render_cubic): Use those macros where appropriate.
2017-06-01 17:05:39 +02:00
Werner Lemberg
0ad3262366
* src/base/ftglyph.c (FT_Get_Glyph): Check `slot->advance'.
2017-06-01 17:00:37 +02:00
Werner Lemberg
4a1f1a6d2a
[psaux] 32bit integer overflow tun-time errors ( #46149 ).
...
* src/psaux/t1decode.c (t1_decoder_parse_charstrings): Use
OVERFLOW_ADD_LONG and OVERFLOW_SUB_LONG where appropriate.
2017-06-01 13:15:54 +02:00
Werner Lemberg
8d435c463d
* src/truetype/ttinterp.c (TT_RunIns): Adjust loop counter again.
...
Problem reported by Marek Kašík <mkasik@redhat.com>.
The problematic font that exceeds the old limit is Padauk-Bold,
version 3.002, containing bytecode generated by a buggy version of
ttfautohint.
2017-06-01 07:09:44 +02:00
Werner Lemberg
e66d7300fe
[cff] 32bit integer overflow run-time errors 2/2 ( #46149 ).
...
This commit handles the new engine.
* include/freetype/internal/ftcalc.h (OVERFLOW_ADD_INT32,
OVERFLOW_SUB_INT32, OVERFLOW_MUL_INT32, NEG_INT, NEG_LONG,
NEG_INT32): New macros.
* src/cff/cf2ft.c (cf2_getScaleAndHintFlag): Use OVERFLOW_ADD_INT32.
* src/cff/cf2hints.c (cf2_getWindingMomentum, cf2_hint_init,
cf2_hintmap_map, cf2_glyphpath_hintPoint,
cf2_glyphpath_computeIntersection, cf2_glyphpath_computeOffset,
cf2_glyphpath_lineTo, cf2_glyphpath_curveTo): Use
OVERFLOW_ADD_INT32, OVERFLOW_SUB_INT32, OVERFLOW_MUL_INT32, and
NEG_INT32 where appropriate.
* src/cff/cf2intrp.c (cf2_doFlex, cf2_doBlend,
cf2_interpT2CharString): Ditto.
Also add some other code where needed to avoid overflow.
2017-05-31 16:16:50 +02:00
Werner Lemberg
9b710cd56e
[cff] 32bit integer overflow run-time errors 1/2 ( #46149 ).
...
This commit handles the old engine.
* src/cff/cffgload.c: Include FT_INTERNAL_CALC_H.
(cff_decoder_parse_charstrings): Use OVERFLOW_ADD_LONG and
OVERFLOW_SUB_LONG where needed.
* src/cff/cffparse.c: Include FT_INTERNAL_CALC_H.
(power_ten_limits): New static array.
(do_fixed): Use it to prevent multiplication overflow.
(cff_parser_run): Use OVERFLOW_ADD_LONG.
2017-05-30 22:35:41 +02:00
Werner Lemberg
0e7b9f864f
[psaux] Correctly handle sequences of multiple number signs.
...
* src/psaux/psconv.c (PS_Conv_Strtol, PS_Conv_ToFixed): Return zero
if we encounter more than a single sign.
2017-05-30 22:22:19 +02:00
Werner Lemberg
f01463297f
[pcf] 32bit integer overflow run-time errors ( #46149 ).
...
* src/pcf/pcfread.c (pcf_get_accel): Add sanity checks for
`fontAscent' and `fontDescent'.
(pcf_load_font): Add sanity checks for global height.
Add sanity checks for AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE,
RESOLUTION_X, and RESOLUTION_Y properties.
2017-05-29 21:04:27 +02:00