From 3b8f16803c8a28919966e5ddb5d64ae982556d63 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Wed, 4 Apr 2018 20:26:08 +0200 Subject: [cff, type1] Sanitize `BlueFuzz' and `BlueShift'. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371 * src/cff/cffload.c (cff_load_private_dict): Sanitize `priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later on. * src/type1/t1load.c (T1_Open_Face): Ditto. --- ChangeLog | 14 ++++++++++++++ src/cff/cffload.c | 18 ++++++++++++++++++ src/pshinter/pshglob.c | 4 ++-- src/type1/t1load.c | 18 ++++++++++++++++++ 4 files changed, 52 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9133fecc2..8a8a04d5b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2018-04-04 Werner Lemberg + + [cff, type1] Sanitize `BlueFuzz' and `BlueShift'. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371 + + * src/cff/cffload.c (cff_load_private_dict): Sanitize + `priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later + on. + + * src/type1/t1load.c (T1_Open_Face): Ditto. + 2018-04-04 Ben Wagner * src/truetype/ttobjs.c (trick_names): Add 3 tricky fonts (#53554), diff --git a/src/cff/cffload.c b/src/cff/cffload.c index ba49793dc..1c6fe5156 100644 --- a/src/cff/cffload.c +++ b/src/cff/cffload.c @@ -1933,6 +1933,24 @@ else if ( priv->initial_random_seed == 0 ) priv->initial_random_seed = 987654321; + /* some sanitizing to avoid overflows later on; */ + /* the upper limits are ad-hoc values */ + if ( priv->blue_shift > 1000 || priv->blue_shift < 0 ) + { + FT_TRACE2(( "cff_load_private_dict:" + " setting unlikely BlueShift value %d to default (7)\n", + priv->blue_shift )); + priv->blue_shift = 7; + } + + if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 ) + { + FT_TRACE2(( "cff_load_private_dict:" + " setting unlikely BlueFuzz value %d to default (1)\n", + priv->blue_fuzz )); + priv->blue_fuzz = 1; + } + Exit: /* clean up */ cff_blend_clear( subfont ); /* clear blend stack */ diff --git a/src/pshinter/pshglob.c b/src/pshinter/pshglob.c index 29f328d0e..accc04921 100644 --- a/src/pshinter/pshglob.c +++ b/src/pshinter/pshglob.c @@ -227,8 +227,8 @@ } - /* Re-read blue zones from the original fonts and store them into out */ - /* private structure. This function re-orders, sanitizes and */ + /* Re-read blue zones from the original fonts and store them into our */ + /* private structure. This function re-orders, sanitizes, and */ /* fuzz-expands the zones as well. */ static void psh_blues_set_zones( PSH_Blues target, diff --git a/src/type1/t1load.c b/src/type1/t1load.c index 2b8d4893c..9dfa637a6 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -2493,6 +2493,24 @@ type1->encoding.num_chars = loader.num_chars; } + /* some sanitizing to avoid overflows later on; */ + /* the upper limits are ad-hoc values */ + if ( priv->blue_shift > 1000 || priv->blue_shift < 0 ) + { + FT_TRACE2(( "T1_Open_Face:" + " setting unlikely BlueShift value %d to default (7)\n", + priv->blue_shift )); + priv->blue_shift = 7; + } + + if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 ) + { + FT_TRACE2(( "T1_Open_Face:" + " setting unlikely BlueFuzz value %d to default (1)\n", + priv->blue_fuzz )); + priv->blue_fuzz = 1; + } + Exit: t1_done_loader( &loader ); return error; -- cgit v1.2.1