[woff2] Avoid allocation bomb.
This is a fix for commit 85167dbd5, reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60615
* src/sfnt/sfwoff2.c (MAX_SFNT_SIZE): New macro.
(woff2_open_font): Use it to limit the maximum size of an uncompressed WOFF2
font.
This commit is contained in:
Werner Lemberg
parent
3c92e7bfc2
commit
336503dfd7
|
|
@ -36,6 +36,8 @@
|
|||
#undef FT_COMPONENT
|
||||
#define FT_COMPONENT sfwoff2
|
||||
|
||||
/* An arbitrary, heuristic size limit (67MByte) for expanded WOFF2 data. */
|
||||
#define MAX_SFNT_SIZE ( 1 << 26 )
|
||||
|
||||
#define READ_255USHORT( var ) FT_SET_ERROR( Read255UShort( stream, &var ) )
|
||||
|
||||
|
|
@ -2180,9 +2182,8 @@
|
|||
else
|
||||
sfnt_size = woff2.totalSfntSize;
|
||||
|
||||
/* Value 1<<26 = 67108864 is heuristic. */
|
||||
if (sfnt_size >= (1 << 26))
|
||||
sfnt_size = 1 << 26;
|
||||
if ( sfnt_size >= MAX_SFNT_SIZE )
|
||||
sfnt_size = MAX_SFNT_SIZE;
|
||||
|
||||
#ifdef FT_DEBUG_LEVEL_TRACE
|
||||
if ( sfnt_size != woff2.totalSfntSize )
|
||||
|
|
@ -2257,6 +2258,17 @@
|
|||
goto Exit;
|
||||
}
|
||||
|
||||
/* We must not blindly trust `uncompressed_size` since its */
|
||||
/* value might be corrupted. If it is too large, reject the */
|
||||
/* font. In other words, we don't accept a WOFF2 font that */
|
||||
/* expands to something larger than MAX_SFNT_SIZE. If ever */
|
||||
/* necessary, this limit can be easily adjusted. */
|
||||
if ( woff2.uncompressed_size > MAX_SFNT_SIZE )
|
||||
{
|
||||
FT_ERROR(( "Uncompressed font too large.\n" ));
|
||||
return FT_THROW( Array_Too_Large );
|
||||
}
|
||||
|
||||
/* Allocate memory for uncompressed table data. */
|
||||
if ( FT_QALLOC( uncompressed_buf, woff2.uncompressed_size ) ||
|
||||
FT_FRAME_ENTER( woff2.totalCompressedSize ) )
|
||||
|
|
|
|||
Loading…
Reference in New Issue