forked from minhngoc25a/freetype2
034e5dbf92
It is possible for OtherSubr 19 to be invoked when `decoder->buildchar` is NULL (so that `decoder->len_buildchar` is 0), the `blend` is non-NULL with `blend->num_designs` set to 2, and the user supplied `idx` to be large (for example 0xFFFFFFFE). Since these are all `FT_UInt32` the existing bounds check overflows in a well defined manner, allowing for an invalid call to `memcpy`. In addition, it is possible to call OtherSubr 19 with `decoder->len_buildchar`, `blend->num_designs`, and `idx` all zero (implying that `blend->weight_vector` and `decoder->buildchar` are NULL). This passes the bounds check (it is logically always fine to copy nothing starting at index zero) but may invoke undefined behavior in `ft_memcpy` if it is backed by `memcpy`. Calling `memcpy` with either the `src` or `dst` NULL is undefined behavior (even if `count` is zero). * src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that `blend->num_designs` can be copied to `decoder->buildchar[idx]`. Also avoid passing NULL to `ft_memcpy`. Bug: https://crbug.com/1299259 |
||
|---|---|---|
| .. | ||
| afmparse.c | ||
| afmparse.h | ||
| cffdecode.c | ||
| cffdecode.h | ||
| module.mk | ||
| psarrst.c | ||
| psarrst.h | ||
| psaux.c | ||
| psauxerr.h | ||
| psauxmod.c | ||
| psauxmod.h | ||
| psblues.c | ||
| psblues.h | ||
| psconv.c | ||
| psconv.h | ||
| pserror.c | ||
| pserror.h | ||
| psfixed.h | ||
| psfont.c | ||
| psfont.h | ||
| psft.c | ||
| psft.h | ||
| psglue.h | ||
| pshints.c | ||
| pshints.h | ||
| psintrp.c | ||
| psintrp.h | ||
| psobjs.c | ||
| psobjs.h | ||
| psread.c | ||
| psread.h | ||
| psstack.c | ||
| psstack.h | ||
| pstypes.h | ||
| rules.mk | ||
| t1cmap.c | ||
| t1cmap.h | ||
| t1decode.c | ||
| t1decode.h | ||