forked from minhngoc25a/freetype2
[truetype] Reject elements of composites with invalid glyph indices.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413 * src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
This commit is contained in:
parent
3c99016f8f
commit
3360ca5853
10
ChangeLog
10
ChangeLog
|
@ -1,3 +1,13 @@
|
||||||
|
2018-05-22 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[truetype] Reject elements of composites with invalid glyph indices.
|
||||||
|
|
||||||
|
Reported as
|
||||||
|
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413
|
||||||
|
|
||||||
|
* src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
|
||||||
|
|
||||||
2018-05-22 Werner Lemberg <wl@gnu.org>
|
2018-05-22 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Trace # of points.
|
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Trace # of points.
|
||||||
|
|
|
@ -760,6 +760,18 @@
|
||||||
#define FT_ADVANCES_H <freetype/ftadvanc.h>
|
#define FT_ADVANCES_H <freetype/ftadvanc.h>
|
||||||
|
|
||||||
|
|
||||||
|
/*************************************************************************
|
||||||
|
*
|
||||||
|
* @macro:
|
||||||
|
* FT_COLOR_H
|
||||||
|
*
|
||||||
|
* @description:
|
||||||
|
* A macro used in #include statements to name the file containing the
|
||||||
|
* FreeType~2 API which handles the OpenType CPAL table.
|
||||||
|
*/
|
||||||
|
#define FT_COLOR_H <freetype/ftcolor.h>
|
||||||
|
|
||||||
|
|
||||||
/* */
|
/* */
|
||||||
|
|
||||||
/* These header files don't need to be included by the user. */
|
/* These header files don't need to be included by the user. */
|
||||||
|
|
|
@ -22,6 +22,7 @@
|
||||||
|
|
||||||
#include <ft2build.h>
|
#include <ft2build.h>
|
||||||
#include FT_FREETYPE_H
|
#include FT_FREETYPE_H
|
||||||
|
#include FT_COLOR_H
|
||||||
|
|
||||||
#ifdef FREETYPE_H
|
#ifdef FREETYPE_H
|
||||||
#error "freetype.h of FreeType 1 has been loaded!"
|
#error "freetype.h of FreeType 1 has been loaded!"
|
||||||
|
@ -182,6 +183,43 @@ FT_BEGIN_HEADER
|
||||||
FT_Int alignment );
|
FT_Int alignment );
|
||||||
|
|
||||||
|
|
||||||
|
/*************************************************************************/
|
||||||
|
/* */
|
||||||
|
/* <Function> */
|
||||||
|
/* FT_Bitmap_Blend */
|
||||||
|
/* */
|
||||||
|
/* <Description> */
|
||||||
|
/* Blend a bitmap object from an `FT_GlyphSlot' structure onto a */
|
||||||
|
/* bitmap in an `FT_Bitmap' structure, using a given color and */
|
||||||
|
/* offset. */
|
||||||
|
/* */
|
||||||
|
/* <InOut> */
|
||||||
|
/* target :: A handle to a bitmap object. Its type must be */
|
||||||
|
/* @FT_PIXEL_MODE_BGRA. */
|
||||||
|
/* */
|
||||||
|
/* <Input> */
|
||||||
|
/* source :: The glyph slot's source bitmap, which can have any */
|
||||||
|
/* @FT_Pixel_Mode format. */
|
||||||
|
/* */
|
||||||
|
/* color :: The color used to draw `source' onto `target'. */
|
||||||
|
/* */
|
||||||
|
/* topleft :: A vector from the topleft corner of `source' to the */
|
||||||
|
/* topleft corner of `target'. */
|
||||||
|
/* */
|
||||||
|
/* <Return> */
|
||||||
|
/* FreeType error code. 0~means success. */
|
||||||
|
/* */
|
||||||
|
/* <Note> */
|
||||||
|
/* This function reallocates the target bitmap if necessary; it */
|
||||||
|
/* doesn't perform clipping. */
|
||||||
|
/* */
|
||||||
|
FT_EXPORT( FT_Error )
|
||||||
|
FT_Bitmap_Blend( FT_Bitmap target,
|
||||||
|
FT_GlyphSlot source,
|
||||||
|
FT_Color color,
|
||||||
|
FT_Vector topleft );
|
||||||
|
|
||||||
|
|
||||||
/*************************************************************************/
|
/*************************************************************************/
|
||||||
/* */
|
/* */
|
||||||
/* <Function> */
|
/* <Function> */
|
||||||
|
|
|
@ -561,9 +561,10 @@
|
||||||
TT_Load_Composite_Glyph( TT_Loader loader )
|
TT_Load_Composite_Glyph( TT_Loader loader )
|
||||||
{
|
{
|
||||||
FT_Error error;
|
FT_Error error;
|
||||||
FT_Byte* p = loader->cursor;
|
FT_Byte* p = loader->cursor;
|
||||||
FT_Byte* limit = loader->limit;
|
FT_Byte* limit = loader->limit;
|
||||||
FT_GlyphLoader gloader = loader->gloader;
|
FT_GlyphLoader gloader = loader->gloader;
|
||||||
|
FT_Long num_glyphs = loader->face->root.num_glyphs;
|
||||||
FT_SubGlyph subglyph;
|
FT_SubGlyph subglyph;
|
||||||
FT_UInt num_subglyphs;
|
FT_UInt num_subglyphs;
|
||||||
|
|
||||||
|
@ -592,6 +593,11 @@
|
||||||
subglyph->flags = FT_NEXT_USHORT( p );
|
subglyph->flags = FT_NEXT_USHORT( p );
|
||||||
subglyph->index = FT_NEXT_USHORT( p );
|
subglyph->index = FT_NEXT_USHORT( p );
|
||||||
|
|
||||||
|
/* we reject composites that have components */
|
||||||
|
/* with invalid glyph indices */
|
||||||
|
if ( subglyph->index >= num_glyphs )
|
||||||
|
goto Invalid_Composite;
|
||||||
|
|
||||||
/* check space */
|
/* check space */
|
||||||
count = 2;
|
count = 2;
|
||||||
if ( subglyph->flags & ARGS_ARE_WORDS )
|
if ( subglyph->flags & ARGS_ARE_WORDS )
|
||||||
|
|
Loading…
Reference in New Issue