diff options
author | Ben Wagner <bungeman@chromium.org> | 2022-02-22 20:37:43 -0500 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2022-02-23 17:42:55 +0100 |
commit | 034e5dbf92ea3a7ea7c9322e47a3a50ff23f7b55 (patch) | |
tree | 2fc375b6b887307bac4c0c6ac721bc6b9f663eae | |
parent | bcdfa38692d590dda5bc9e4334842abe92ec0ba5 (diff) | |
download | freetype2-034e5dbf92ea3a7ea7c9322e47a3a50ff23f7b55.tar.gz |
[psaux] Full bounds check for OtherSubr 19.
It is possible for OtherSubr 19 to be invoked when `decoder->buildchar` is
NULL (so that `decoder->len_buildchar` is 0), the `blend` is non-NULL with
`blend->num_designs` set to 2, and the user supplied `idx` to be large (for
example 0xFFFFFFFE). Since these are all `FT_UInt32` the existing bounds
check overflows in a well defined manner, allowing for an invalid call to
`memcpy`.
In addition, it is possible to call OtherSubr 19 with
`decoder->len_buildchar`, `blend->num_designs`, and `idx` all zero (implying
that `blend->weight_vector` and `decoder->buildchar` are NULL). This passes
the bounds check (it is logically always fine to copy nothing starting at
index zero) but may invoke undefined behavior in `ft_memcpy` if it is backed
by `memcpy`. Calling `memcpy` with either the `src` or `dst` NULL is
undefined behavior (even if `count` is zero).
* src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that
`blend->num_designs` can be copied to `decoder->buildchar[idx]`.
Also avoid passing NULL to `ft_memcpy`.
Bug: https://crbug.com/1299259
-rw-r--r-- | src/psaux/psintrp.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/src/psaux/psintrp.c b/src/psaux/psintrp.c index c550533a0..6c640eebd 100644 --- a/src/psaux/psintrp.c +++ b/src/psaux/psintrp.c @@ -1900,7 +1900,8 @@ /* WeightVector */ { FT_UInt idx; - PS_Blend blend = decoder->blend; + PS_Blend blend = decoder->blend; + FT_UInt len_buildchar = decoder->len_buildchar; if ( arg_cnt != 1 || !blend ) @@ -1908,14 +1909,15 @@ idx = (FT_UInt)cf2_stack_popInt( opStack ); - if ( idx + blend->num_designs > - decoder->len_buildchar ) + if ( len_buildchar < blend->num_designs || + len_buildchar - blend->num_designs < idx ) goto Unexpected_OtherSubr; - ft_memcpy( &decoder->buildchar[idx], - blend->weight_vector, - blend->num_designs * - sizeof ( blend->weight_vector[0] ) ); + if ( decoder->buildchar && blend->weight_vector ) + ft_memcpy( &decoder->buildchar[idx], + blend->weight_vector, + blend->num_designs * + sizeof ( blend->weight_vector[0] ) ); } break; |