[truetype] Another limitation for bytecode loop count maximum.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=900

* src/truetype/ttinterp.c (TT_RunIns): Limit `loopcall_counter_max'
by number of glyphs also.
This commit is contained in:
Werner Lemberg 2017-03-18 09:42:58 +01:00
parent ab840e6a4c
commit 13fa85a246
2 changed files with 28 additions and 9 deletions

View File

@ -1,3 +1,14 @@
2017-03-18 Werner Lemberg <wl@gnu.org>
[truetype] Another limitation for bytecode loop count maximum.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=900
* src/truetype/ttinterp.c (TT_RunIns): Limit `loopcall_counter_max'
by number of glyphs also.
2017-03-18 Werner Lemberg <wl@gnu.org>
[ftfuzzer] Minor improvement.

View File

@ -7605,15 +7605,16 @@
exc->twilight.n_points = (FT_UShort)num_twilight_points;
}
/* Set up loop detectors. We restrict the number of LOOPCALL loops */
/* and the number of JMPR, JROT, and JROF calls with a negative */
/* argument to values that depend on the size of the CVT table and */
/* the number of points in the current glyph (if applicable). */
/* */
/* The idea is that in real-world bytecode you either iterate over */
/* all CVT entries (in the `prep' table), or over all points (or */
/* contours, in the `glyf' table) of a glyph, and such iterations */
/* don't happen very often. */
/* Set up loop detectors. We restrict the number of LOOPCALL loops */
/* and the number of JMPR, JROT, and JROF calls with a negative */
/* argument to values that depend on various parameters like the */
/* size of the CVT table or the number of points in the current */
/* glyph (if applicable). */
/* */
/* The idea is that in real-world bytecode you either iterate over */
/* all CVT entries (in the `prep' table), or over all points (or */
/* contours, in the `glyf' table) of a glyph, and such iterations */
/* don't happen very often. */
exc->loopcall_counter = 0;
exc->neg_jump_counter = 0;
@ -7626,6 +7627,13 @@
else
exc->loopcall_counter_max = FT_MAX( 100,
5 * exc->cvtSize );
/* as a protection against an unreasonable number of CVT entries */
/* we assume at most 100 control values per glyph for the counter */
if ( exc->loopcall_counter_max >
100 * (FT_ULong)exc->face->root.num_glyphs )
exc->loopcall_counter_max = 100 * (FT_ULong)exc->face->root.num_glyphs;
FT_TRACE5(( "TT_RunIns: Limiting total number of loops in LOOPCALL"
" to %d\n", exc->loopcall_counter_max ));