diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2022-07-20 17:33:28 +0100 |
---|---|---|
committer | Ken Sharp <ken.sharp@artifex.com> | 2022-07-21 14:40:51 +0100 |
commit | 631aecc58ee697ee514fec9b49cad19f237caa20 (patch) | |
tree | 816b21ab3bb73185901e965b84481e9b08b54bfb /psi | |
parent | db419b3a5aa011106f1159fa49354d7714989e64 (diff) | |
download | ghostpdl-631aecc58ee697ee514fec9b49cad19f237caa20.tar.gz |
OSS-fuzz #49290
The problem here is an (I think) corrupted TrueType font. One of the
glyphs claims to be a component glyph, and the component GID is
larger than the number of glyphs in the font (and so is invalid).
When we copy the font (which we only do with pdfwrite and ps2write) we
try to copy this glyph which is not otherwise used in the document.
As part of trying to copy the glyph we try to get the glyph name for
both the glyph and the components of the glyph.
Normally we walk the font twice, putting the glyph names for each
glyph into the name table on the first pass, and then retrieving them
on the second. Because the component glyph is not valid, we (obviously)
don't find it on the first pass, and don't add it to the name table.
On the second pass we use the glyph ID to try and get the name, but
because we didn't store it on the first pass there is no such name with
that ID, so we get an empty slot back. Which we don't check! We then
try to use it which involves dereferencing a NULL pointer, and we
crash.
This commit checks the GID of the component glyphs and makes sure they
are in the valid range so that (hopefully) this can't happen.
This also checks the name returned from name_index_ref to ensure it is
not an unused name slot, to avoid a crash if we find another route
that fails to return a name. We use this a lot in many places and
it's not obvious which ones are guaranteed safe and which might not be
so I haven't tried to change the other cases.
Diffstat (limited to 'psi')
-rw-r--r-- | psi/zbfont.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/psi/zbfont.c b/psi/zbfont.c index 044f58a12..bcf38aced 100644 --- a/psi/zbfont.c +++ b/psi/zbfont.c @@ -136,8 +136,11 @@ zfont_glyph_name(gs_font *font, gs_glyph index, gs_const_string *pstr) &nref, 1); if (code < 0) return code; - } else + } else { name_index_ref(font->memory, index, &nref); + if (nref.value.pname == NULL) + return_error(gs_error_unknownerror); + } name_string_ref(font->memory, &nref, &sref); pstr->data = sref.value.const_bytes; pstr->size = r_size(&sref); |