[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 13d1180f4: [woff2] Disallow zero table font entries
|
From: |
Werner Lemberg |
|
Subject: |
[freetype2] master 13d1180f4: [woff2] Disallow zero table font entries |
|
Date: |
Thu, 2 May 2024 16:16:45 -0400 (EDT) |
branch: master
commit 13d1180f4542d19557e146cc0124e51891733b0c
Author: Ben Wanger <bungeman@gmail.com>
Commit: Ben Wanger <bungeman@gmail.com>
[woff2] Disallow zero table font entries
The existing code already disallows zero table woff2 overall, but still
allows for individual CollectionFontEntry to create font instances with
zero tables. Such fonts are not useful so error early.
This also fixes an MSAN discovered issue where if a CollectionFontEntry
numTables is zero then the sfnt_header was not fully initialized.
* src/sfnt/sfwoff2.c (woff2_open_font): error on zero tables, always
initalize sfnt_header
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68384
---
src/sfnt/sfwoff2.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index 3df4d2664..0e272fc99 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1791,7 +1791,6 @@
FT_Byte* sfnt = NULL;
FT_Stream sfnt_stream = NULL;
- FT_Byte* sfnt_header;
FT_ULong sfnt_size;
FT_Byte* uncompressed_buf = NULL;
@@ -2135,6 +2134,13 @@
WOFF2_TtcFont ttc_font = woff2.ttc_fonts + face_index;
+ if ( ttc_font->num_tables == 0 )
+ {
+ FT_ERROR(( "woff2_open_font: invalid WOFF2 CollectionFontEntry\n" ));
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+ }
+
/* Create a temporary array. */
if ( FT_QNEW_ARRAY( temp_indices,
ttc_font->num_tables ) )
@@ -2190,13 +2196,9 @@
FT_NEW( sfnt_stream ) )
goto Exit;
- sfnt_header = sfnt;
-
- WRITE_ULONG( sfnt_header, woff2.flavor );
-
- if ( woff2.num_tables )
{
- FT_UInt searchRange, entrySelector, rangeShift, x;
+ FT_UInt searchRange, entrySelector, rangeShift, x;
+ FT_Byte* sfnt_header = sfnt;
x = woff2.num_tables;
@@ -2211,6 +2213,7 @@
searchRange = ( 1 << entrySelector ) * 16;
rangeShift = ( woff2.num_tables * 16 ) - searchRange;
+ WRITE_ULONG( sfnt_header, woff2.flavor );
WRITE_USHORT( sfnt_header, woff2.num_tables );
WRITE_USHORT( sfnt_header, searchRange );
WRITE_USHORT( sfnt_header, entrySelector );
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 13d1180f4: [woff2] Disallow zero table font entries,
Werner Lemberg <=