diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-08-30 09:10:52 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-09-02 15:59:07 +0100 |
| commit | 3f10216309b123fe521888835e07921735f1ddfe (patch) | |
| tree | c0e0a3da59ae8809c3da138ff89f3b0289b1a54b | |
| parent | 718f24fdf42fdef7c6f33318b953c9d103fed07f (diff) | |
| download | ghostpdl-3f10216309b123fe521888835e07921735f1ddfe.tar.gz | |
oss-fuzz 50754: Validate TTF post table version at creation
Previously we just stored the offset for the post table, and checked the version
when required to read from it. That can cost considerable time if the post table
version is invalid. So check it up front, and set the offset to zero if the
version is bad.
| -rw-r--r-- | base/gstype42.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/base/gstype42.c b/base/gstype42.c index 579a17a4d..5ef1c2279 100644 --- a/base/gstype42.c +++ b/base/gstype42.c @@ -68,6 +68,8 @@ font_proc_font_info(gs_truetype_font_info); /* Type check. */ #define PUTU16(p, n, offs) {(p + offs)[0] = n >> 8 & 255; (p + offs)[1] = n & 255;} +static byte const ver10[4] = {0x00, 0x01, 0x00, 0x00}; +static byte const ver20[4] = {0x00, 0x02, 0x00, 0x00}; /* ---------------- Font level ---------------- */ @@ -207,7 +209,14 @@ gs_type42_font_init(gs_font_type42 * pfont, int subfontID) if (!memcmp(tab, "cmap", 4)) pfont->data.cmap = offset; else if (!memcmp(tab, "post", 4)) { - pfont->data.post_offset = offset; + byte ver[4]; + READ_SFNTS(pfont, offset, 4, ver); + if (memcmp(ver, ver10, 4) == 0 || memcmp(ver, ver20, 4) == 0) { + pfont->data.post_offset = offset; + } + else { + pfont->data.post_offset = 0; + } } else if (!memcmp(tab, "glyf", 4)) { pfont->data.glyf = offset; @@ -761,8 +770,6 @@ gs_type42_find_post_name(gs_font_type42 * pfont, gs_glyph glyph, gs_string *gnam if (pfont->FontType == ft_TrueType) { if (pfont->data.post_offset != 0) { byte ver[4]; - byte const ver10[4] = {0x00, 0x01, 0x00, 0x00}; - byte const ver20[4] = {0x00, 0x02, 0x00, 0x00}; READ_SFNTS(pfont, pfont->data.post_offset, 4, ver); if (!memcmp(ver, ver10, 4)){ @@ -808,6 +815,9 @@ gs_type42_find_post_name(gs_font_type42 * pfont, gs_glyph glyph, gs_string *gnam } } } + else { + code2 = gs_error_invalidfont; + } } } else |