diff options
author | Werner Lemberg <wl@gnu.org> | 2018-07-22 12:11:52 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2018-07-22 12:11:52 +0200 |
commit | a5acdce10076b0ad717b9b8eb455f811ed1d1f45 (patch) | |
tree | 90984003de37e80d8bdff88040da23c1707a187c | |
parent | 5434faadf4e59c891f179443a822adadc48728c3 (diff) | |
download | freetype2-a5acdce10076b0ad717b9b8eb455f811ed1d1f45.tar.gz |
[cid] Sanitize `BlueShift' and `BlueFuzz'.
This code is taken from the type1 module.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9510
* src/cid/cidload.c (parse_fd_array): Set some private dict default
values.
(cid_face_open): Do the sanitizing.
Fix some tracing messages.
-rw-r--r-- | ChangeLog | 15 | ||||
-rw-r--r-- | src/cid/cidload.c | 45 |
2 files changed, 49 insertions, 11 deletions
@@ -1,3 +1,18 @@ +2018-07-22 Werner Lemberg <wl@gnu.org> + + [cid] Sanitize `BlueShift' and `BlueFuzz'. + + This code is taken from the type1 module. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9510 + + * src/cid/cidload.c (parse_fd_array): Set some private dict default + values. + (cid_face_open): Do the sanitizing. + Fix some tracing messages. + 2018-07-21 Werner Lemberg <wl@gnu.org> [pcf] Fix handling of the undefined glyph. diff --git a/src/cid/cidload.c b/src/cid/cidload.c index 8f2a312ab..057a8b0a4 100644 --- a/src/cid/cidload.c +++ b/src/cid/cidload.c @@ -270,14 +270,18 @@ cid->num_dicts = num_dicts; - /* don't forget to set a few defaults */ + /* set some default values (the same as for Type 1 fonts) */ for ( n = 0; n < cid->num_dicts; n++ ) { CID_FaceDict dict = cid->font_dicts + n; - /* default value for lenIV */ - dict->private_dict.lenIV = 4; + dict->private_dict.blue_shift = 7; + dict->private_dict.blue_fuzz = 1; + dict->private_dict.lenIV = 4; + dict->private_dict.expansion_factor = (FT_Fixed)( 0.06 * 0x10000L ); + dict->private_dict.blue_scale = (FT_Fixed)( + 0.039625 * 0x10000L * 1000 ); } } @@ -764,7 +768,7 @@ if ( cid->fd_bytes < 0 || cid->gd_bytes < 1 ) { - FT_ERROR(( "cid_parse_dict:" + FT_ERROR(( "cid_face_open:" " Invalid `FDBytes' or `GDBytes' value\n" )); error = FT_THROW( Invalid_File_Format ); goto Exit; @@ -773,7 +777,7 @@ /* allow at most 32bit offsets */ if ( cid->fd_bytes > 4 || cid->gd_bytes > 4 ) { - FT_ERROR(( "cid_parse_dict:" + FT_ERROR(( "cid_face_open:" " Values of `FDBytes' or `GDBytes' larger than 4\n" " " " are not supported\n" )); @@ -789,17 +793,36 @@ CID_FaceDict dict = cid->font_dicts + n; + /* the upper limits are ad-hoc values */ + if ( dict->private_dict.blue_shift > 1000 || + dict->private_dict.blue_shift < 0 ) + { + FT_TRACE2(( "cid_face_open:" + " setting unlikely BlueShift value %d to default (7)\n", + dict->private_dict.blue_shift )); + dict->private_dict.blue_shift = 7; + } + + if ( dict->private_dict.blue_fuzz > 1000 || + dict->private_dict.blue_fuzz < 0 ) + { + FT_TRACE2(( "cid_face_open:" + " setting unlikely BlueFuzz value %d to default (1)\n", + dict->private_dict.blue_fuzz )); + dict->private_dict.blue_fuzz = 1; + } + if ( dict->sd_bytes < 0 || ( dict->num_subrs && dict->sd_bytes < 1 ) ) { - FT_ERROR(( "cid_parse_dict: Invalid `SDBytes' value\n" )); + FT_ERROR(( "cid_face_open: Invalid `SDBytes' value\n" )); error = FT_THROW( Invalid_File_Format ); goto Exit; } if ( dict->sd_bytes > 4 ) { - FT_ERROR(( "cid_parse_dict:" + FT_ERROR(( "cid_face_open:" " Values of `SDBytes' larger than 4" " are not supported\n" )); error = FT_THROW( Invalid_File_Format ); @@ -808,7 +831,7 @@ if ( dict->subrmap_offset > binary_length ) { - FT_ERROR(( "cid_parse_dict: Invalid `SubrMapOffset' value\n" )); + FT_ERROR(( "cid_face_open: Invalid `SubrMapOffset' value\n" )); error = FT_THROW( Invalid_File_Format ); goto Exit; } @@ -819,7 +842,7 @@ dict->num_subrs > ( binary_length - dict->subrmap_offset ) / (FT_UInt)dict->sd_bytes ) ) { - FT_ERROR(( "cid_parse_dict: Invalid `SubrCount' value\n" )); + FT_ERROR(( "cid_face_open: Invalid `SubrCount' value\n" )); error = FT_THROW( Invalid_File_Format ); goto Exit; } @@ -827,7 +850,7 @@ if ( cid->cidmap_offset > binary_length ) { - FT_ERROR(( "cid_parse_dict: Invalid `CIDMapOffset' value\n" )); + FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" )); error = FT_THROW( Invalid_File_Format ); goto Exit; } @@ -836,7 +859,7 @@ cid->cid_count > ( binary_length - cid->cidmap_offset ) / entry_len ) { - FT_ERROR(( "cid_parse_dict: Invalid `CIDCount' value\n" )); + FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" )); error = FT_THROW( Invalid_File_Format ); goto Exit; } |