diff options
-rw-r--r-- | ChangeLog | 20 | ||||
-rw-r--r-- | src/psaux/psintrp.c | 8 |
2 files changed, 27 insertions, 1 deletions
@@ -1,10 +1,30 @@ 2021-06-12 Werner Lemberg <wl@gnu.org> + [psaux] Fix another assertion. + + * src/psaux/psintrp.c (cf2_interpT2CharString) + <cf2_escCALLOTHERSUBR>: Convert assertion into error, since the + problem can happen with invalid user input. + + Test case is file + + fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read + + in the `freetype2-testing` repository. + +2021-06-12 Werner Lemberg <wl@gnu.org> + [psaux] Fix assertions. * src/psaux/pshints.c (cf2_hintmap_adjustHints): Check for overflow before emitting an assertion error. + Test case is file + + fuzzing/corpora/legacy/oss-fuzz/4594115297673216-integer-overflow + + in the `freetype2-testing` repository. + 2021-06-09 Alexei Podtelezhnikov <apodtele@gmail.com> * src/truetype/ttinterp.c (TT_RunIns): Optimize tracing. diff --git a/src/psaux/psintrp.c b/src/psaux/psintrp.c index cc1b67600..40e927663 100644 --- a/src/psaux/psintrp.c +++ b/src/psaux/psintrp.c @@ -1670,7 +1670,13 @@ */ count = cf2_stack_count( opStack ); - FT_ASSERT( (CF2_UInt)arg_cnt <= count ); + if ( (CF2_UInt)arg_cnt > count ) + { + FT_ERROR(( "cf2_interpT2CharString (Type 1 mode):" + " stack underflow\n" )); + lastError = FT_THROW( Invalid_Glyph_Format ); + goto exit; + } opIdx += count - (CF2_UInt)arg_cnt; |