Protect against invalid SID values in CFFs.

Problem reported by Tavis Ormandy <taviso@google.com>. * src/cff/cffload.c (cff_charset_load): Reject SID values larger than 64999.
author: Werner Lemberg <wl@gnu.org> 2009-03-20 06:49:10 +0100
committer: Werner Lemberg <wl@gnu.org> 2009-03-20 06:49:10 +0100
commit: 0545ec1ca36b27cb928128870a83e5f668980bc5 (patch)
tree: e32faccc80fe2a19a9a6d5b5afd94a02b471f293
parent: 8b819254b9fa1e686eaff8f6b214dfd8eeebe8a0 (diff)
download: freetype2-0545ec1ca36b27cb928128870a83e5f668980bc5.tar.gz
2 files changed, 37 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 3c6ea08d6..512d99ccd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2009-03-20  Werner Lemberg  <wl@gnu.org>
+
+	Protect against invalid SID values in CFFs.
+
+	Problem reported by Tavis Ormandy <taviso@google.com>.
+
+	* src/cff/cffload.c (cff_charset_load): Reject SID values larger
+	than 64999.
+
 2009-03-19  Vincent Richomme <richom.v@free.fr>
 
 	Update WinCE Visual C project files.
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 22163fb75..24b899d17 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -842,7 +842,20 @@
             goto Exit;
 
           for ( j = 1; j < num_glyphs; j++ )
-            charset->sids[j] = FT_GET_USHORT();
+          {
+            FT_UShort sid = FT_GET_USHORT();
+
+
+            /* this constant is given in the CFF specification */
+            if ( sid < 65000 )
+              charset->sids[j] = sid;
+            else
+            {
+              FT_ERROR(( "cff_charset_load:"
+                         " invalid SID value %d set to zero\n", sid ));
+              charset->sids[j] = 0;
+            }
+          }
 
           FT_FRAME_EXIT();
         }
@@ -875,6 +888,20 @@
                 goto Exit;
             }
 
+            /* check whether the range contains at least one valid glyph; */
+            /* the constant is given in the CFF specification             */
+            if ( glyph_sid >= 65000 ) {
+              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
+              error = CFF_Err_Invalid_File_Format;
+              goto Exit;
+            }
+
+            /* try to rescue some of the SIDs if `nleft' is too large */
+            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
+              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
+              nleft = 65000 - 1 - glyph_sid;
+            }
+
             /* Fill in the range of sids -- `nleft + 1' glyphs. */
             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
               charset->sids[j] = glyph_sid;
author	Werner Lemberg <wl@gnu.org>	2009-03-20 06:49:10 +0100
committer	Werner Lemberg <wl@gnu.org>	2009-03-20 06:49:10 +0100
commit	0545ec1ca36b27cb928128870a83e5f668980bc5 (patch)
tree	e32faccc80fe2a19a9a6d5b5afd94a02b471f293
parent	8b819254b9fa1e686eaff8f6b214dfd8eeebe8a0 (diff)
download	freetype2-0545ec1ca36b27cb928128870a83e5f668980bc5.tar.gz