diff --git a/ChangeLog b/ChangeLog index 5b43aa733..227e94e1f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2018-08-14 Werner Lemberg + + [cff] Fix segv. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9864 + + * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) + [CFF_CONFIG_OPTION_OLD_ENGINE]: Use top dict's + `random' field directly if parsing dictionaries. + 2018-08-13 Alexei Podtelezhnikov [bdf] Use unsigned types. diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c index 024eb9c8b..3f4ea15cb 100644 --- a/src/psaux/cffdecode.c +++ b/src/psaux/cffdecode.c @@ -1712,16 +1712,20 @@ break; case cff_op_random: - FT_TRACE4(( " random\n" )); + { + FT_UInt32* randval = in_dict ? &decoder->cff->top_font.random + : &decoder->current_subfont->random; - /* only use the lower 16 bits of `random' */ - /* to generate a number in the range (0;1] */ - args[0] = (FT_Fixed) - ( ( decoder->current_subfont->random & 0xFFFF ) + 1 ); - args++; - decoder->current_subfont->random = - cff_random( decoder->current_subfont->random ); + FT_TRACE4(( " random\n" )); + + /* only use the lower 16 bits of `random' */ + /* to generate a number in the range (0;1] */ + args[0] = (FT_Fixed)( ( *randval & 0xFFFF ) + 1 ); + args++; + + *randval = cff_random( *randval ); + } break; case cff_op_mul: