[psaux] Fix segfault.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_callothersubr> [CFF_CONFIG_OPTION_OLD_ENGINE]: Check argument.
This commit is contained in:
parent
6b660f1215
commit
d280ae1e8c
14
ChangeLog
14
ChangeLog
|
@ -1,10 +1,22 @@
|
||||||
|
2018-10-02 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[psaux] Fix segfault.
|
||||||
|
|
||||||
|
Reported as
|
||||||
|
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768
|
||||||
|
|
||||||
|
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
|
||||||
|
<cff_op_callothersubr> [CFF_CONFIG_OPTION_OLD_ENGINE]: Check
|
||||||
|
argument.
|
||||||
|
|
||||||
2018-10-02 Werner Lemberg <wl@gnu.org>
|
2018-10-02 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
[psaux] Fix numeric overflow.
|
[psaux] Fix numeric overflow.
|
||||||
|
|
||||||
Reported as
|
Reported as
|
||||||
|
|
||||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10740
|
||||||
|
|
||||||
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll>
|
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll>
|
||||||
[CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT.
|
[CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT.
|
||||||
|
|
|
@ -2027,20 +2027,31 @@
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case cff_op_callothersubr:
|
case cff_op_callothersubr:
|
||||||
/* this is an invalid Type 2 operator; however, there */
|
{
|
||||||
/* exist fonts which are incorrectly converted from probably */
|
FT_Fixed arg;
|
||||||
/* Type 1 to CFF, and some parsers seem to accept it */
|
|
||||||
|
|
||||||
FT_TRACE4(( " callothersubr (invalid op)\n" ));
|
|
||||||
|
|
||||||
/* subsequent `pop' operands should add the arguments, */
|
/* this is an invalid Type 2 operator; however, there */
|
||||||
/* this is the implementation described for `unknown' other */
|
/* exist fonts which are incorrectly converted from */
|
||||||
/* subroutines in the Type1 spec. */
|
/* probably Type 1 to CFF, and some parsers seem to accept */
|
||||||
/* */
|
/* it */
|
||||||
/* XXX Fix return arguments (see discussion below). */
|
|
||||||
args -= 2 + ( args[-2] >> 16 );
|
FT_TRACE4(( " callothersubr (invalid op)\n" ));
|
||||||
if ( args < stack )
|
|
||||||
goto Stack_Underflow;
|
/* subsequent `pop' operands should add the arguments, */
|
||||||
|
/* this is the implementation described for `unknown' */
|
||||||
|
/* other subroutines in the Type1 spec. */
|
||||||
|
/* */
|
||||||
|
/* XXX Fix return arguments (see discussion below). */
|
||||||
|
|
||||||
|
arg = 2 + ( args[-2] >> 16 );
|
||||||
|
if ( arg >= CFF_MAX_OPERANDS )
|
||||||
|
goto Stack_Underflow;
|
||||||
|
|
||||||
|
args -= arg;
|
||||||
|
if ( args < stack )
|
||||||
|
goto Stack_Underflow;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case cff_op_pop:
|
case cff_op_pop:
|
||||||
|
|
Loading…
Reference in New Issue