diff --git a/ChangeLog b/ChangeLog index f6f278730..789ac9461 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2018-05-22 Werner Lemberg + + [truetype] Reject elements of composites with invalid glyph indices. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413 + + * src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it. + 2018-05-22 Werner Lemberg * src/truetype/ttgload.c (TT_Load_Simple_Glyph): Trace # of points. diff --git a/include/freetype/config/ftheader.h b/include/freetype/config/ftheader.h index 702f77cc4..13e5de7d6 100644 --- a/include/freetype/config/ftheader.h +++ b/include/freetype/config/ftheader.h @@ -760,6 +760,18 @@ #define FT_ADVANCES_H + /************************************************************************* + * + * @macro: + * FT_COLOR_H + * + * @description: + * A macro used in #include statements to name the file containing the + * FreeType~2 API which handles the OpenType CPAL table. + */ +#define FT_COLOR_H + + /* */ /* These header files don't need to be included by the user. */ diff --git a/include/freetype/ftbitmap.h b/include/freetype/ftbitmap.h index cbdccc208..f3acd19ae 100644 --- a/include/freetype/ftbitmap.h +++ b/include/freetype/ftbitmap.h @@ -22,6 +22,7 @@ #include #include FT_FREETYPE_H +#include FT_COLOR_H #ifdef FREETYPE_H #error "freetype.h of FreeType 1 has been loaded!" @@ -182,6 +183,43 @@ FT_BEGIN_HEADER FT_Int alignment ); + /*************************************************************************/ + /* */ + /* */ + /* FT_Bitmap_Blend */ + /* */ + /* */ + /* Blend a bitmap object from an `FT_GlyphSlot' structure onto a */ + /* bitmap in an `FT_Bitmap' structure, using a given color and */ + /* offset. */ + /* */ + /* */ + /* target :: A handle to a bitmap object. Its type must be */ + /* @FT_PIXEL_MODE_BGRA. */ + /* */ + /* */ + /* source :: The glyph slot's source bitmap, which can have any */ + /* @FT_Pixel_Mode format. */ + /* */ + /* color :: The color used to draw `source' onto `target'. */ + /* */ + /* topleft :: A vector from the topleft corner of `source' to the */ + /* topleft corner of `target'. */ + /* */ + /* */ + /* FreeType error code. 0~means success. */ + /* */ + /* */ + /* This function reallocates the target bitmap if necessary; it */ + /* doesn't perform clipping. */ + /* */ + FT_EXPORT( FT_Error ) + FT_Bitmap_Blend( FT_Bitmap target, + FT_GlyphSlot source, + FT_Color color, + FT_Vector topleft ); + + /*************************************************************************/ /* */ /* */ diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c index 33ca681b1..f7f723a9a 100644 --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -561,9 +561,10 @@ TT_Load_Composite_Glyph( TT_Loader loader ) { FT_Error error; - FT_Byte* p = loader->cursor; - FT_Byte* limit = loader->limit; - FT_GlyphLoader gloader = loader->gloader; + FT_Byte* p = loader->cursor; + FT_Byte* limit = loader->limit; + FT_GlyphLoader gloader = loader->gloader; + FT_Long num_glyphs = loader->face->root.num_glyphs; FT_SubGlyph subglyph; FT_UInt num_subglyphs; @@ -592,6 +593,11 @@ subglyph->flags = FT_NEXT_USHORT( p ); subglyph->index = FT_NEXT_USHORT( p ); + /* we reject composites that have components */ + /* with invalid glyph indices */ + if ( subglyph->index >= num_glyphs ) + goto Invalid_Composite; + /* check space */ count = 2; if ( subglyph->flags & ARGS_ARE_WORDS )