diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2022-07-04 14:02:54 +0100 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2022-07-05 10:50:18 +0100 |
commit | e950d1fa30cda37cae4cc0553a4d24135fc09695 (patch) | |
tree | a2bed9e3abc13f33620afc804ffb61c517da1dd6 /base | |
parent | e784b3314b61f8dfb65e21cd04d7b0ff53251ce1 (diff) | |
download | ghostpdl-e950d1fa30cda37cae4cc0553a4d24135fc09695.tar.gz |
oss-fuzz 48547/48528/48526: Various TTF hinter fixes
A couple of opcode functions in the bytecode interpreter were not bounds
checking the values they used.
If a bytcode execution context initialisation encountered an out of memory
error part way through, the remainder of the context would be left
uninitialised which could then lead to a later crash when cleaning up the
partially initialised context.
Diffstat (limited to 'base')
-rw-r--r-- | base/ttinterp.c | 29 | ||||
-rw-r--r-- | base/ttobjs.c | 18 |
2 files changed, 42 insertions, 5 deletions
diff --git a/base/ttinterp.c b/base/ttinterp.c index fe44a844e..63846c8d8 100644 --- a/base/ttinterp.c +++ b/base/ttinterp.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -1825,6 +1825,12 @@ static int nInstrCount=0; { if ( args[1] == 0 ) { + if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) ) + { + CUR.error = TT_Err_Invalid_Reference; + return; + } + CUR.IP += (Int)(args[0]); CUR.step_ins = FALSE; @@ -4378,9 +4384,15 @@ static int nInstrCount=0; end_point = CUR.pts.contours[contour]; first_point = point; - while ( point <= end_point && (CUR.pts.touch[point] & mask) == 0 ) + while ( point <= end_point && point < CUR.pts.n_points && (CUR.pts.touch[point] & mask) == 0 ) point++; + if (BOUNDS(point, CUR.pts.n_points )) + { + CUR.error = TT_Err_Invalid_Reference; + return; + } + if ( point <= end_point ) { first_touched = point; @@ -4392,12 +4404,21 @@ static int nInstrCount=0; { if ( (CUR.pts.touch[point] & mask) != 0 ) { - Interp( (Int)(cur_touched + 1), + if (BOUNDS(cur_touched, CUR.pts.n_points) + || BOUNDS(point, CUR.pts.n_points)) + { + CUR.error = TT_Err_Invalid_Reference; + return; + } + else + { + Interp( (Int)(cur_touched + 1), (Int)(point - 1), (Int)cur_touched, (Int)point, &V ); - cur_touched = point; + cur_touched = point; + } } point++; diff --git a/base/ttobjs.c b/base/ttobjs.c index 75eacb9ca..26029f336 100644 --- a/base/ttobjs.c +++ b/base/ttobjs.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -303,6 +303,22 @@ static int free_aux(ttfMemory *mem, void *ptr) if (n_points < 100) n_points = 100; /* Bug 689907 */ + exec->pts.cur_x = NULL; + exec->pts.cur_y = NULL; + exec->pts.org_x = NULL; + exec->pts.org_y = NULL; + exec->pts.touch = NULL; + exec->pts.contours = NULL; + exec->twilight.cur_y = NULL; + exec->twilight.cur_x = NULL; + exec->twilight.org_y = NULL; + exec->twilight.org_x = NULL; + exec->twilight.touch = NULL; + exec->twilight.contours = NULL; + + exec->n_contours = exec->n_points = 0; + exec->twilight.n_points = 0; + if ( ALLOC_ARRAY( exec->callStack, exec->callSize, callSize, TCallRecord ) || /* reserve interpreter call stack */ |