diff options
author | Werner Lemberg <wl@gnu.org> | 2018-09-12 07:40:49 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2018-09-12 07:40:49 +0200 |
commit | 65681e6dc1937db57d5905c5dd89e0a306bc0634 (patch) | |
tree | 0b21c3e06fe78a566b9105ad15017f33e1967495 /src/truetype/ttgxvar.c | |
parent | 53c5e4bd87ff8035d91022204bb5f3a051e78a99 (diff) | |
download | freetype2-65681e6dc1937db57d5905c5dd89e0a306bc0634.tar.gz |
[truetype] Improve VF check.
Triggered by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255
* src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
for `tupleCount'.
Diffstat (limited to 'src/truetype/ttgxvar.c')
-rw-r--r-- | src/truetype/ttgxvar.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index 3a2c5409d..bb6c6849d 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -3672,6 +3672,7 @@ FT_UInt tupleCount; FT_ULong offsetToData; + FT_ULong dataSize; FT_ULong here; FT_UInt i, j; @@ -3712,9 +3713,11 @@ FT_NEW_ARRAY( has_delta, n_points ) ) goto Fail1; - if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) || - FT_FRAME_ENTER( blend->glyphoffsets[glyph_index + 1] - - blend->glyphoffsets[glyph_index] ) ) + dataSize = blend->glyphoffsets[glyph_index + 1] - + blend->glyphoffsets[glyph_index]; + + if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) || + FT_FRAME_ENTER( dataSize ) ) goto Fail1; glyph_start = FT_Stream_FTell( stream ); @@ -3731,7 +3734,7 @@ /* rough sanity test */ if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 > - blend->gvar_size ) + dataSize ) { FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:" " invalid glyph variation array header\n" )); |