forked from minhngoc25a/freetype2
[psaux] Better protect `flex' handling.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 * src/psaux/t1decode.c (t1_decoder_parse_charstrings) <callothersubr>: Since there is not a single flex operator but a series of subroutine calls, malformed fonts can call arbitrary other operators after the start of a flex, possibly adding points. For this reason we have to check the available number of points before inserting a point.
This commit is contained in:
parent
913f436d12
commit
f958c48ee4
15
ChangeLog
15
ChangeLog
|
@ -1,3 +1,18 @@
|
|||
2017-03-23 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[psaux] Better protect `flex' handling.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
|
||||
|
||||
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
|
||||
<callothersubr>: Since there is not a single flex operator but a
|
||||
series of subroutine calls, malformed fonts can call arbitrary other
|
||||
operators after the start of a flex, possibly adding points. For
|
||||
this reason we have to check the available number of points before
|
||||
inserting a point.
|
||||
|
||||
2017-03-23 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[sfnt] Fix check for default named instance.
|
||||
|
|
|
@ -780,10 +780,19 @@
|
|||
/* point without adding any point to the outline */
|
||||
idx = decoder->num_flex_vectors++;
|
||||
if ( idx > 0 && idx < 7 )
|
||||
{
|
||||
/* in malformed fonts it is possible to have other */
|
||||
/* opcodes in the middle of a flex (which don't */
|
||||
/* increase `num_flex_vectors'); we thus have to */
|
||||
/* check whether we can add a point */
|
||||
if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
|
||||
goto Syntax_Error;
|
||||
|
||||
t1_builder_add_point( builder,
|
||||
x,
|
||||
y,
|
||||
(FT_Byte)( idx == 3 || idx == 6 ) );
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
|
|
Loading…
Reference in New Issue