diff options
| author | Werner Lemberg <wl@gnu.org> | 2022-01-08 10:28:19 +0100 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2022-01-08 10:28:19 +0100 |
| commit | 7a493e3a404cd04ad2d798e985d7441bd2d955ea (patch) | |
| tree | 69a2cad030db3ce3e5d6c7ba605bb9c701b546bf | |
| parent | bf9b1ef90564987856a42461147435f143e9e7cd (diff) | |
| download | freetype2-7a493e3a404cd04ad2d798e985d7441bd2d955ea.tar.gz | |
[sfnt, type42] Correct previous commit.
Really fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42773.
* src/sfnt/ttload.c (check_table_dir): Revert change.
* src/type42/t42.parse.c (t42_parse_sfnts): Don't use `FT_QREALLOC` but
`FT_REALLOC` for setting up `ttf_data` to avoid uninitialized memory access
while handling malformed TrueType fonts later on.
| -rw-r--r-- | src/sfnt/ttload.c | 2 | ||||
| -rw-r--r-- | src/type42/t42parse.c | 13 |
2 files changed, 11 insertions, 4 deletions
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index 184e43ec2..51416d80b 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -200,7 +200,7 @@ for ( nn = 0; nn < sfnt->num_tables; nn++ ) { - TT_TableRec table = { 0, 0, 0, 0 }; + TT_TableRec table; if ( FT_STREAM_READ_FIELDS( table_dir_entry_fields, &table ) ) diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index ea2c5198a..0407b1a11 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -718,7 +718,9 @@ goto Fail; } - if ( FT_QREALLOC( face->ttf_data, 12, face->ttf_size ) ) + /* To handle bad fonts with an invalid table directory */ + /* we don't use `FT_QREALLOC` here. */ + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ @@ -767,8 +769,13 @@ FT_TRACE2(( " allocating %ld bytes\n", face->ttf_size + 1 )); FT_TRACE2(( "\n" )); - if ( FT_QREALLOC( face->ttf_data, 12 + 16 * num_tables, - face->ttf_size + 1 ) ) + /* To handle bad fonts we don't use `FT_QREALLOC` here: */ + /* chances are high that due to incorrect values in the */ + /* table directory the computation of `ttf_size` would be */ + /* incorrect otherwise, causing run-time errors because of */ + /* accessing uninitialized memory. */ + if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, + face->ttf_size + 1 ) ) goto Fail; } /* fall through */ |