diff options
author | Ben Wagner <bungeman@chromium.org> | 2021-06-30 18:22:29 -0400 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2021-07-01 07:02:04 +0200 |
commit | d3dc2da9b27af5b90575d62989389cc65fe7977c (patch) | |
tree | bed9b0d1fb40a6c5ff9b0d07d0a63eb8eda7de80 | |
parent | 286da6c528ace3443d993370c798cdc09011200b (diff) | |
download | freetype2-d3dc2da9b27af5b90575d62989389cc65fe7977c.tar.gz |
* src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.
It is undefined behavior to pass `NULL` to `memcpy`. `coords' is
passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
explictly call `tt_set_mm_blend` with `coords` as `NULL`. In
addition, `TT_Set_MM_Blend` has a similar possible issue.
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | src/truetype/ttgxvar.c | 7 |
2 files changed, 13 insertions, 3 deletions
@@ -1,3 +1,12 @@ +2021-07-01 Ben Wagner <bungeman@chromium.org> + + * src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`. + + It is undefined behavior to pass `NULL` to `memcpy`. `coords' is + passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design` + explictly call `tt_set_mm_blend` with `coords` as `NULL`. In + addition, `TT_Set_MM_Blend` has a similar possible issue. + 2021-06-30 Dominik Röttsches <drott@chromium.org> [sfnt] Support PaintScale in 'COLR' v1 parsing. diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index ad87746d8..aad3e2929 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -2663,9 +2663,10 @@ } blend->num_axis = mmvar->num_axis; - FT_MEM_COPY( blend->normalizedcoords, - coords, - num_coords * sizeof ( FT_Fixed ) ); + if ( coords ) + FT_MEM_COPY( blend->normalizedcoords, + coords, + num_coords * sizeof ( FT_Fixed ) ); if ( set_design_coords ) ft_var_to_design( face, |