From ad7dce7751298e3d65752c5149f08892ff79bcb0 Mon Sep 17 00:00:00 2001 From: Alexei Podtelezhnikov Date: Fri, 17 Jan 2025 20:54:14 -0500 Subject: [PATCH] * src/bdf/bdflib.c (bdf_parse_start_): Prevent another STARTPROPERTIES. Only one STARTPROPERTIES was permitted in the old flow preventing leaks and overflows. See https://issues.oss-fuzz.com/issues/389968131 https://issues.oss-fuzz.com/issues/390464875 --- src/bdf/bdflib.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index cb0b0f647..ce8dfb1b6 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -539,7 +539,7 @@ while ( bytes ) { - /* try to fine the start of the line */ + /* try to find the start of the line */ while ( start < avail && buf[start] < ' ' ) start++; @@ -1661,7 +1661,6 @@ /* Check for the end of the properties. */ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) { - p->flags &= ~BDF_PROPS_; *next = bdf_parse_start_; goto Exit; @@ -1798,7 +1797,8 @@ font = p->font; /* Check for the start of the properties. */ - if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + if ( !( p->flags & BDF_PROPS_ ) && + _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) { if ( !( p->flags & BDF_FONT_BBX_ ) ) { @@ -1812,9 +1812,13 @@ if ( error ) goto Exit; - p->cnt = font->props_size = bdf_atoul_( p->list.field[1] ); + font->props_size = bdf_atoul_( p->list.field[1] ); + + if ( font->props_size < 2 ) + font->props_size = 2; + /* We need at least 4 bytes per property. */ - if ( p->cnt > p->size / 4 ) + if ( font->props_size > p->size / 4 ) { font->props_size = 0; @@ -1823,7 +1827,7 @@ goto Exit; } - if ( FT_NEW_ARRAY( font->props, p->cnt ) ) + if ( FT_NEW_ARRAY( font->props, font->props_size ) ) { font->props_size = 0; goto Exit;