freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master c9d4772: [cff] More consistency checks for pure CFFs.

From: Werner LEMBERG
Subject: [freetype2] master c9d4772: [cff] More consistency checks for pure CFFs.
Date: Wed, 4 Jan 2017 09:01:06 +0000 (UTC) 
branch: master
commit c9d477242ceaa85ce70c42272ee44e99b386c01d
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [cff] More consistency checks for pure CFFs.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=378
    
    * src/cff/cffload.c (cff_font_load): Check element number and size
    of Name and Top DICT indices.
---
 ChangeLog         |   11 +++++++++++
 src/cff/cffload.c |   19 +++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 413949c..1a47545 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2017-01-04  Werner Lemberg  <address@hidden>
 
+       [cff] More consistency checks for pure CFFs.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=378
+
+       * src/cff/cffload.c (cff_font_load): Check element number and size
+       of Name and Top DICT indices.
+
+2017-01-04  Werner Lemberg  <address@hidden>
+
        [cff, truetype] Minor tracing improvement.
 
        * src/cff/cffobjs.c (cff_face_init), src/truetype/ttobjs.c
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index cb1c0b5..52922f4 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -2199,6 +2199,16 @@
         goto Exit;
       }
 
+      /* font names must not be empty */
+      if ( font->name_index.data_size < font->name_index.count )
+      {
+        /* for pure CFFs, we still haven't checked enough bytes */
+        /* to be sure that it is a CFF at all                   */
+        error = pure_cff ? FT_THROW( Unknown_File_Format )
+                         : FT_THROW( Invalid_File_Format );
+        goto Exit;
+      }
+
       if ( FT_SET_ERROR( cff_index_init( &font->font_dict_index,
                                          stream, 0, cff2 ) )                 ||
            FT_SET_ERROR( cff_index_init( &string_index,
@@ -2210,6 +2220,15 @@
                                                  &font->string_pool,
                                                  &font->string_pool_size ) ) )
         goto Exit;
+
+      /* there must be a Top DICT index entry for each name index entry */
+      if ( font->name_index.count > font->font_dict_index.count )
+      {
+        FT_ERROR(( "cff_font_load:"
+                   " not enough entries in Top DICT index\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Exit;
+      }
     }
 
     font->num_strings = string_index.count;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]