From 839a023619b593b742f62ffab8e7e4f9da8c1593 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 30 Sep 2019 07:41:57 +0200 Subject: [PATCH] * src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17812 --- ChangeLog | 8 ++++++++ src/sfnt/sfwoff2.c | 20 ++++++++++---------- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index bbf2e1bf1..9dab66363 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2019-09-30 Werner Lemberg + + * src/sfnt/sfwoff2.c (reconstruct_font): Fix memory leak. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17812 + 2019-09-30 Werner Lemberg [woff2] Reject fonts without `head' table. diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c index 2d85ef5a2..065023bf7 100644 --- a/src/sfnt/sfwoff2.c +++ b/src/sfnt/sfwoff2.c @@ -1534,7 +1534,7 @@ /* Create a stream for the uncompressed buffer. */ if ( FT_NEW( stream ) ) - return FT_THROW( Invalid_Table ); + goto Fail; FT_Stream_OpenMemory( stream, transformed_buf, transformed_buf_size ); FT_ASSERT( FT_STREAM_POS() == 0 ); @@ -1554,16 +1554,16 @@ (FT_Char)( table.Tag ) )); if ( FT_STREAM_SEEK( table.src_offset ) ) - return FT_THROW( Invalid_Table ); + goto Fail; if ( table.src_offset + table.src_length > transformed_buf_size ) - return FT_THROW( Invalid_Table ); + goto Fail; /* Get stream size for fields of `hmtx' table. */ if ( table.Tag == TTAG_hhea ) { if ( read_num_hmetrics( stream, &num_hmetrics ) ) - return FT_THROW( Invalid_Table ); + goto Fail; } info->num_hmetrics = num_hmetrics; @@ -1575,7 +1575,7 @@ if ( table.Tag == TTAG_head ) { if ( table.src_length < 12 ) - return FT_THROW( Invalid_Table ); + goto Fail; buf_cursor = transformed_buf + table.src_offset + 8; /* Set checkSumAdjustment = 0 */ @@ -1590,7 +1590,7 @@ if ( WRITE_SFNT_BUF( transformed_buf + table.src_offset, table.src_length ) ) - return FT_THROW( Invalid_Table ); + goto Fail; } else { @@ -1611,7 +1611,7 @@ &dest_offset, info, memory ) ) - return FT_THROW( Invalid_Table ); + goto Fail; FT_TRACE4(( "Checksum = %09x.\n", checksum )); } @@ -1625,7 +1625,7 @@ if ( !is_glyf_xform ) { if ( get_x_mins( stream, indices, num_tables, info, memory ) ) - return FT_THROW( Invalid_Table ); + goto Fail; } table.dst_offset = dest_offset; @@ -1639,13 +1639,13 @@ sfnt_size, &dest_offset, memory ) ) - return FT_THROW( Invalid_Table ); + goto Fail; } else { /* Unknown transform. */ FT_ERROR(( "Unknown table transform.\n" )); - return FT_THROW( Invalid_Table ); + goto Fail; } }