[psaux] Full bounds check for OtherSubr 19.

It is possible for OtherSubr 19 to be invoked when `decoder->buildchar` is NULL (so that `decoder->len_buildchar` is 0), the `blend` is non-NULL with `blend->num_designs` set to 2, and the user supplied `idx` to be large (for example 0xFFFFFFFE). Since these are all `FT_UInt32` the existing bounds check overflows in a well defined manner, allowing for an invalid call to `memcpy`. In addition, it is possible to call OtherSubr 19 with `decoder->len_buildchar`, `blend->num_designs`, and `idx` all zero (implying that `blend->weight_vector` and `decoder->buildchar` are NULL). This passes the bounds check (it is logically always fine to copy nothing starting at index zero) but may invoke undefined behavior in `ft_memcpy` if it is backed by `memcpy`. Calling `memcpy` with either the `src` or `dst` NULL is undefined behavior (even if `count` is zero). * src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that `blend->num_designs` can be copied to `decoder->buildchar[idx]`. Also avoid passing NULL to `ft_memcpy`. Bug: https://crbug.com/1299259
2022-02-22 20:37:43 -05:00 · 2022-02-22 20:37:43 -05:00 · 034e5dbf92
parent bcdfa38692
commit 034e5dbf92
1 changed files with 9 additions and 7 deletions
--- a/src/psaux/psintrp.c
+++ b/src/psaux/psintrp.c
@ -1900,7 +1900,8 @@
                      /*     WeightVector                         */
                      {
                        FT_UInt   idx;
-                        PS_Blend  blend = decoder->blend;
+                        PS_Blend  blend         = decoder->blend;
+                        FT_UInt   len_buildchar = decoder->len_buildchar;


                        if ( arg_cnt != 1 || !blend )
@ -1908,14 +1909,15 @@

                        idx = (FT_UInt)cf2_stack_popInt( opStack );

-                        if ( idx + blend->num_designs >
-                               decoder->len_buildchar   )
+                        if ( len_buildchar < blend->num_designs       ||
+                             len_buildchar - blend->num_designs < idx )
                          goto Unexpected_OtherSubr;

-                        ft_memcpy( &decoder->buildchar[idx],
-                                   blend->weight_vector,
-                                   blend->num_designs *
-                                   sizeof ( blend->weight_vector[0] ) );
+                        if ( decoder->buildchar && blend->weight_vector )
+                          ft_memcpy( &decoder->buildchar[idx],
+                                     blend->weight_vector,
+                                     blend->num_designs *
+                                       sizeof ( blend->weight_vector[0] ) );
                      }
                      break;