[cid] Sanitize `BlueShift' and `BlueFuzz'.

This code is taken from the type1 module.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9510

* src/cid/cidload.c (parse_fd_array): Set some private dict default
values.
(cid_face_open): Do the sanitizing.
Fix some tracing messages.
This commit is contained in:
Werner Lemberg 2018-07-22 12:11:52 +02:00
parent 5434faadf4
commit a5acdce100
2 changed files with 49 additions and 11 deletions

View File

@ -1,3 +1,18 @@
2018-07-22 Werner Lemberg <wl@gnu.org>
[cid] Sanitize `BlueShift' and `BlueFuzz'.
This code is taken from the type1 module.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9510
* src/cid/cidload.c (parse_fd_array): Set some private dict default
values.
(cid_face_open): Do the sanitizing.
Fix some tracing messages.
2018-07-21 Werner Lemberg <wl@gnu.org>
[pcf] Fix handling of the undefined glyph.

View File

@ -270,14 +270,18 @@
cid->num_dicts = num_dicts;
/* don't forget to set a few defaults */
/* set some default values (the same as for Type 1 fonts) */
for ( n = 0; n < cid->num_dicts; n++ )
{
CID_FaceDict dict = cid->font_dicts + n;
/* default value for lenIV */
dict->private_dict.lenIV = 4;
dict->private_dict.blue_shift = 7;
dict->private_dict.blue_fuzz = 1;
dict->private_dict.lenIV = 4;
dict->private_dict.expansion_factor = (FT_Fixed)( 0.06 * 0x10000L );
dict->private_dict.blue_scale = (FT_Fixed)(
0.039625 * 0x10000L * 1000 );
}
}
@ -764,7 +768,7 @@
if ( cid->fd_bytes < 0 || cid->gd_bytes < 1 )
{
FT_ERROR(( "cid_parse_dict:"
FT_ERROR(( "cid_face_open:"
" Invalid `FDBytes' or `GDBytes' value\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
@ -773,7 +777,7 @@
/* allow at most 32bit offsets */
if ( cid->fd_bytes > 4 || cid->gd_bytes > 4 )
{
FT_ERROR(( "cid_parse_dict:"
FT_ERROR(( "cid_face_open:"
" Values of `FDBytes' or `GDBytes' larger than 4\n"
" "
" are not supported\n" ));
@ -789,17 +793,36 @@
CID_FaceDict dict = cid->font_dicts + n;
/* the upper limits are ad-hoc values */
if ( dict->private_dict.blue_shift > 1000 ||
dict->private_dict.blue_shift < 0 )
{
FT_TRACE2(( "cid_face_open:"
" setting unlikely BlueShift value %d to default (7)\n",
dict->private_dict.blue_shift ));
dict->private_dict.blue_shift = 7;
}
if ( dict->private_dict.blue_fuzz > 1000 ||
dict->private_dict.blue_fuzz < 0 )
{
FT_TRACE2(( "cid_face_open:"
" setting unlikely BlueFuzz value %d to default (1)\n",
dict->private_dict.blue_fuzz ));
dict->private_dict.blue_fuzz = 1;
}
if ( dict->sd_bytes < 0 ||
( dict->num_subrs && dict->sd_bytes < 1 ) )
{
FT_ERROR(( "cid_parse_dict: Invalid `SDBytes' value\n" ));
FT_ERROR(( "cid_face_open: Invalid `SDBytes' value\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
}
if ( dict->sd_bytes > 4 )
{
FT_ERROR(( "cid_parse_dict:"
FT_ERROR(( "cid_face_open:"
" Values of `SDBytes' larger than 4"
" are not supported\n" ));
error = FT_THROW( Invalid_File_Format );
@ -808,7 +831,7 @@
if ( dict->subrmap_offset > binary_length )
{
FT_ERROR(( "cid_parse_dict: Invalid `SubrMapOffset' value\n" ));
FT_ERROR(( "cid_face_open: Invalid `SubrMapOffset' value\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
}
@ -819,7 +842,7 @@
dict->num_subrs > ( binary_length - dict->subrmap_offset ) /
(FT_UInt)dict->sd_bytes ) )
{
FT_ERROR(( "cid_parse_dict: Invalid `SubrCount' value\n" ));
FT_ERROR(( "cid_face_open: Invalid `SubrCount' value\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
}
@ -827,7 +850,7 @@
if ( cid->cidmap_offset > binary_length )
{
FT_ERROR(( "cid_parse_dict: Invalid `CIDMapOffset' value\n" ));
FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
}
@ -836,7 +859,7 @@
cid->cid_count >
( binary_length - cid->cidmap_offset ) / entry_len )
{
FT_ERROR(( "cid_parse_dict: Invalid `CIDCount' value\n" ));
FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" ));
error = FT_THROW( Invalid_File_Format );
goto Exit;
}