freetype-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 2c9a2d5: Another bunch of UBSan warnings on adding of


From: Werner LEMBERG
Subject: [freetype2] master 2c9a2d5: Another bunch of UBSan warnings on adding offsets to nullptr.
Date: Fri, 13 Dec 2019 17:56:51 -0500 (EST)

branch: master
commit 2c9a2d58ca9c8e58cae1d0b63f17e291297484eb
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    Another bunch of UBSan warnings on adding offsets to nullptr.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19427
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19433
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19441
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19451
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19452
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19457
    
    * src/autofit/aflatin.c (af_latin_hints_compute_segments,
    af_latin_hints_compute_edges): Use `FT_OFFSET'.
    
    * src/base/ftstream.c (FT_Stream_EnterFrame): Use `FT_OFFSET'.
    
    * src/psaux/cffdecode.c (cff_decoder_parse_charstrings): Exit early
    if there is no charstring.
    
    * src/psaux/psobjs.c (t1_decrypt): Use `FT_OFFSET'.
    
    * src/smooth/ftsmooth.c (ft_smooth_render_generic): Exit early for
    zero bitmap dimensions.
---
 ChangeLog             | 26 ++++++++++++++++++++++++++
 src/autofit/aflatin.c |  4 ++--
 src/base/ftstream.c   |  2 +-
 src/psaux/cffdecode.c |  3 +++
 src/psaux/psobjs.c    |  2 +-
 src/smooth/ftsmooth.c |  3 +++
 6 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index db51329..0c3f4e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,29 @@
+2019-12-13  Werner Lemberg  <address@hidden>
+
+       Another bunch of UBSan warnings on adding offsets to nullptr.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19427
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19433
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19441
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19451
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19452
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19457
+
+       * src/autofit/aflatin.c (af_latin_hints_compute_segments,
+       af_latin_hints_compute_edges): Use `FT_OFFSET'.
+
+       * src/base/ftstream.c (FT_Stream_EnterFrame): Use `FT_OFFSET'.
+
+       * src/psaux/cffdecode.c (cff_decoder_parse_charstrings): Exit early
+       if there is no charstring.
+
+       * src/psaux/psobjs.c (t1_decrypt): Use `FT_OFFSET'.
+
+       * src/smooth/ftsmooth.c (ft_smooth_render_generic): Exit early for
+       zero bitmap dimensions.
+
 2019-12-09  Dominik Röttsches  <address@hidden>
 
        Fix more UBSan warnings on adding offset to nullptr (#57384).
diff --git a/src/autofit/aflatin.c b/src/autofit/aflatin.c
index 27d4024..444600c 100644
--- a/src/autofit/aflatin.c
+++ b/src/autofit/aflatin.c
@@ -1910,7 +1910,7 @@
     /* sense -- this is used to better detect and ignore serifs   */
     {
       AF_Segment  segments     = axis->segments;
-      AF_Segment  segments_end = segments + axis->num_segments;
+      AF_Segment  segments_end = FT_OFFSET( segments, axis->num_segments );
 
 
       for ( segment = segments; segment < segments_end; segment++ )
@@ -2314,7 +2314,7 @@
      */
     {
       AF_Edge  edges      = axis->edges;
-      AF_Edge  edge_limit = edges + axis->num_edges;
+      AF_Edge  edge_limit = FT_OFFSET( edges, axis->num_edges );
       AF_Edge  edge;
 
 
diff --git a/src/base/ftstream.c b/src/base/ftstream.c
index 4b0890d..b53777c 100644
--- a/src/base/ftstream.c
+++ b/src/base/ftstream.c
@@ -286,7 +286,7 @@
       }
 
       stream->cursor = stream->base;
-      stream->limit  = stream->cursor + count;
+      stream->limit  = FT_OFFSET( stream->cursor, count );
       stream->pos   += read_bytes;
     }
     else
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 06c6af4..78a04be 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -530,6 +530,9 @@
 
     builder->path_begun = 0;
 
+    if ( !charstring_base )
+      return FT_Err_Ok;
+
     zone->base           = charstring_base;
     limit = zone->limit  = charstring_base + charstring_len;
     ip    = zone->cursor = zone->base;
diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
index 5fb23b1..17337cc 100644
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -2577,7 +2577,7 @@
               FT_UShort  seed )
   {
     PS_Conv_EexecDecode( &buffer,
-                         buffer + length,
+                         FT_OFFSET( buffer, length ),
                          buffer,
                          length,
                          &seed );
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index dcaad35..b4a673c 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -155,6 +155,9 @@
       goto Exit;
     }
 
+    if ( !bitmap->rows || !bitmap->pitch )
+      goto Exit;
+
     /* allocate new one */
     if ( FT_ALLOC_MULT( bitmap->buffer, bitmap->rows, bitmap->pitch ) )
       goto Exit;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]