diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-09-01 10:10:55 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-09-02 15:59:07 +0100 |
| commit | 9abf36b47a1293479b1da6ec5cf269448909e201 (patch) | |
| tree | 5f5c76eb4393d68943ec0b60e7f28c3107c99a9f | |
| parent | de3e7e6f29303e121599d413b97763946e2f39df (diff) | |
| download | ghostpdl-9abf36b47a1293479b1da6ec5cf269448909e201.tar.gz | |
oss-fuzz 50847: Bounds check points indices in ttfOutliner__BuildGlyphOutlineAux()
| -rw-r--r-- | base/ttfmain.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/base/ttfmain.c b/base/ttfmain.c index 94f2eb86a..498cc9214 100644 --- a/base/ttfmain.c +++ b/base/ttfmain.c @@ -650,8 +650,15 @@ retry: e->m.tx = Scale_X( &exec->metrics, e->arg1 ) << 10; e->m.ty = Scale_Y( &exec->metrics, e->arg2 ) << 10; } else { - e->m.tx = (pts->org_x[e->arg1] - pts->org_x[gOutline->pointCount + e->arg2]) << 10; - e->m.ty = (pts->org_y[e->arg1] - pts->org_y[gOutline->pointCount + e->arg2]) << 10; + if (e->arg1 < 0 || e->arg1 > pts->n_points + || (gOutline->pointCount + e->arg2) < 0 || (gOutline->pointCount + e->arg2) > pts->n_points) { + error = fBadFontData; + goto ex; + } + else { + e->m.tx = (pts->org_x[e->arg1] - pts->org_x[gOutline->pointCount + e->arg2]) << 10; + e->m.ty = (pts->org_y[e->arg1] - pts->org_y[gOutline->pointCount + e->arg2]) << 10; + } } MoveGlyphOutline(pts, nPointsStored, &out, &e->m); for (j = nContoursStored; j < out.contourCount + nContoursStored; j++) |