diff options
author | Werner Lemberg <wl@gnu.org> | 2018-07-28 22:23:16 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2018-07-28 22:23:16 +0200 |
commit | 6e44d78cc1d89f39e1086441ae4cbb2815d9f067 (patch) | |
tree | 2952d63e39d27b6d44cf3dce52a222f4bd370312 | |
parent | c9edca8ee986f283e3396c88fb50f9d2b2187b99 (diff) | |
download | freetype2-6e44d78cc1d89f39e1086441ae4cbb2815d9f067.tar.gz |
[type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610
* src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/type1/t1driver.c | 57 |
2 files changed, 48 insertions, 19 deletions
@@ -1,3 +1,13 @@ +2018-07-28 Werner Lemberg <wl@gnu.org> + + [type1] Avoid segfaults with `FT_Get_PS_Font_Value'. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610 + + * src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL. + 2018-07-27 Werner Lemberg <wl@gnu.org> [truetype] Make `TT_Set_MM_Blend' idempotent (#54388). diff --git a/src/type1/t1driver.c b/src/type1/t1driver.c index e5f6aca36..4d46e3ee6 100644 --- a/src/type1/t1driver.c +++ b/src/type1/t1driver.c @@ -270,9 +270,12 @@ break; case PS_DICT_FONT_NAME: - retval = ft_strlen( type1->font_name ) + 1; - if ( value && value_len >= retval ) - ft_memcpy( value, (void *)( type1->font_name ), retval ); + if ( type1->font_name ) + { + retval = ft_strlen( type1->font_name ) + 1; + if ( value && value_len >= retval ) + ft_memcpy( value, (void *)( type1->font_name ), retval ); + } break; case PS_DICT_UNIQUE_ID: @@ -362,7 +365,7 @@ ok = 1; } - if ( ok ) + if ( ok && type1->subrs ) { retval = type1->subrs_len[idx] + 1; if ( value && value_len >= retval ) @@ -559,33 +562,49 @@ break; case PS_DICT_VERSION: - retval = ft_strlen( type1->font_info.version ) + 1; - if ( value && value_len >= retval ) - ft_memcpy( value, (void *)( type1->font_info.version ), retval ); + if ( type1->font_info.version ) + { + retval = ft_strlen( type1->font_info.version ) + 1; + if ( value && value_len >= retval ) + ft_memcpy( value, (void *)( type1->font_info.version ), retval ); + } break; case PS_DICT_NOTICE: - retval = ft_strlen( type1->font_info.notice ) + 1; - if ( value && value_len >= retval ) - ft_memcpy( value, (void *)( type1->font_info.notice ), retval ); + if ( type1->font_info.notice ) + { + retval = ft_strlen( type1->font_info.notice ) + 1; + if ( value && value_len >= retval ) + ft_memcpy( value, (void *)( type1->font_info.notice ), retval ); + } break; case PS_DICT_FULL_NAME: - retval = ft_strlen( type1->font_info.full_name ) + 1; - if ( value && value_len >= retval ) - ft_memcpy( value, (void *)( type1->font_info.full_name ), retval ); + if ( type1->font_info.full_name ) + { + retval = ft_strlen( type1->font_info.full_name ) + 1; + if ( value && value_len >= retval ) + ft_memcpy( value, (void *)( type1->font_info.full_name ), retval ); + } break; case PS_DICT_FAMILY_NAME: - retval = ft_strlen( type1->font_info.family_name ) + 1; - if ( value && value_len >= retval ) - ft_memcpy( value, (void *)( type1->font_info.family_name ), retval ); + if ( type1->font_info.family_name ) + { + retval = ft_strlen( type1->font_info.family_name ) + 1; + if ( value && value_len >= retval ) + ft_memcpy( value, (void *)( type1->font_info.family_name ), + retval ); + } break; case PS_DICT_WEIGHT: - retval = ft_strlen( type1->font_info.weight ) + 1; - if ( value && value_len >= retval ) - ft_memcpy( value, (void *)( type1->font_info.weight ), retval ); + if ( type1->font_info.weight ) + { + retval = ft_strlen( type1->font_info.weight ) + 1; + if ( value && value_len >= retval ) + ft_memcpy( value, (void *)( type1->font_info.weight ), retval ); + } break; case PS_DICT_ITALIC_ANGLE: |