diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-07-04 14:02:54 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-07-05 10:50:18 +0100 |
| commit | e950d1fa30cda37cae4cc0553a4d24135fc09695 (patch) | |
| tree | a2bed9e3abc13f33620afc804ffb61c517da1dd6 /base/ttinterp.c | |
| parent | e784b3314b61f8dfb65e21cd04d7b0ff53251ce1 (diff) | |
| download | ghostpdl-e950d1fa30cda37cae4cc0553a4d24135fc09695.tar.gz | |
oss-fuzz 48547/48528/48526: Various TTF hinter fixes
A couple of opcode functions in the bytecode interpreter were not bounds
checking the values they used.
If a bytcode execution context initialisation encountered an out of memory
error part way through, the remainder of the context would be left
uninitialised which could then lead to a later crash when cleaning up the
partially initialised context.
Diffstat (limited to 'base/ttinterp.c')
| -rw-r--r-- | base/ttinterp.c | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/base/ttinterp.c b/base/ttinterp.c index fe44a844e..63846c8d8 100644 --- a/base/ttinterp.c +++ b/base/ttinterp.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -1825,6 +1825,12 @@ static int nInstrCount=0; { if ( args[1] == 0 ) { + if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) ) + { + CUR.error = TT_Err_Invalid_Reference; + return; + } + CUR.IP += (Int)(args[0]); CUR.step_ins = FALSE; @@ -4378,9 +4384,15 @@ static int nInstrCount=0; end_point = CUR.pts.contours[contour]; first_point = point; - while ( point <= end_point && (CUR.pts.touch[point] & mask) == 0 ) + while ( point <= end_point && point < CUR.pts.n_points && (CUR.pts.touch[point] & mask) == 0 ) point++; + if (BOUNDS(point, CUR.pts.n_points )) + { + CUR.error = TT_Err_Invalid_Reference; + return; + } + if ( point <= end_point ) { first_touched = point; @@ -4392,12 +4404,21 @@ static int nInstrCount=0; { if ( (CUR.pts.touch[point] & mask) != 0 ) { - Interp( (Int)(cur_touched + 1), + if (BOUNDS(cur_touched, CUR.pts.n_points) + || BOUNDS(point, CUR.pts.n_points)) + { + CUR.error = TT_Err_Invalid_Reference; + return; + } + else + { + Interp( (Int)(cur_touched + 1), (Int)(point - 1), (Int)cur_touched, (Int)point, &V ); - cur_touched = point; + cur_touched = point; + } } point++; |