minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 4 Releases Wiki Activity

[psaux] Fix segfault. 

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768

* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
<cff_op_callothersubr> [CFF_CONFIG_OPTION_OLD_ENGINE]: Check
argument.
This commit is contained in:
Werner Lemberg 2018-10-02 20:45:16 +02:00
parent 6b660f1215
commit d280ae1e8c
2 changed files with 36 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ChangeLog
View File

@ -1,10 +1,22 @@
2018-10-02 Werner Lemberg <wl@gnu.org>
[psaux] Fix segfault.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
<cff_op_callothersubr> [CFF_CONFIG_OPTION_OLD_ENGINE]: Check
argument.
2018-10-02 Werner Lemberg <wl@gnu.org> 2018-10-02 Werner Lemberg <wl@gnu.org>
[psaux] Fix numeric overflow. [psaux] Fix numeric overflow.
Reported as Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10740
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll> * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll>
[CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT. [CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT.

35
src/psaux/cffdecode.c
View File

@ -2027,20 +2027,31 @@
break; break;
case cff_op_callothersubr: case cff_op_callothersubr:
/* this is an invalid Type 2 operator; however, there */ {
/* exist fonts which are incorrectly converted from probably */ FT_Fixed arg;
/* Type 1 to CFF, and some parsers seem to accept it */
FT_TRACE4(( " callothersubr (invalid op)\n" ));
/* subsequent `pop' operands should add the arguments, */ /* this is an invalid Type 2 operator; however, there */
/* this is the implementation described for `unknown' other */ /* exist fonts which are incorrectly converted from */
/* subroutines in the Type1 spec. */ /* probably Type 1 to CFF, and some parsers seem to accept */
/* */ /* it */
/* XXX Fix return arguments (see discussion below). */
args -= 2 + ( args[-2] >> 16 ); FT_TRACE4(( " callothersubr (invalid op)\n" ));
if ( args < stack )
goto Stack_Underflow; /* subsequent `pop' operands should add the arguments, */
/* this is the implementation described for `unknown' */
/* other subroutines in the Type1 spec. */
/* */
/* XXX Fix return arguments (see discussion below). */
arg = 2 + ( args[-2] >> 16 );
if ( arg >= CFF_MAX_OPERANDS )
goto Stack_Underflow;
args -= arg;
if ( args < stack )
goto Stack_Underflow;
}
break; break;
case cff_op_pop: case cff_op_pop: