freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] [woff2] Disallow zero table font entrie

From: Ben Wagner (@bungeman)
Subject: [Git][freetype/freetype][master] [woff2] Disallow zero table font entries
Date: Thu, 02 May 2024 20:16:41 +0000

Ben Wagner pushed to branch master at FreeType / FreeType

Commits:

  • 13d1180f
    by Ben Wanger at 2024-05-02T15:00:27-04:00 
    [woff2] Disallow zero table font entries

The existing code already disallows zero table woff2 overall, but still
allows for individual CollectionFontEntry to create font instances with
zero tables. Such fonts are not useful so error early.

This also fixes an MSAN discovered issue where if a CollectionFontEntry
numTables is zero then the sfnt_header was not fully initialized.

* src/sfnt/sfwoff2.c (woff2_open_font): error on zero tables, always
initalize sfnt_header

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68384

1 changed file:

Changes:

  • src/sfnt/sfwoff2.c
    ... ... @@ -1791,7 +1791,6 @@
    1791 1791
    1792 1792 
         FT_Byte*   sfnt        = NULL;
    1793 1793 
         FT_Stream  sfnt_stream = NULL;
    1794 
    -    FT_Byte*   sfnt_header;
    1795 1794 
         FT_ULong   sfnt_size;
    1796 1795
    1797 1796 
         FT_Byte*  uncompressed_buf = NULL;
    ... ... @@ -2135,6 +2134,13 @@
    2135 2134 
           WOFF2_TtcFont  ttc_font = woff2.ttc_fonts + face_index;
    2136 2135
    2137 2136
    2137 
    +      if ( ttc_font->num_tables == 0 )
    2138 
    +      {
    2139 
    +        FT_ERROR(( "woff2_open_font: invalid WOFF2 CollectionFontEntry\n" ));
    2140 
    +        error = FT_THROW( Invalid_Table );
    2141 
    +        goto Exit;
    2142 
    +      }
    2143 
    +
    2138 2144 
           /* Create a temporary array. */
    2139 2145 
           if ( FT_QNEW_ARRAY( temp_indices,
    2140 2146 
                               ttc_font->num_tables ) )
    ... ... @@ -2190,13 +2196,9 @@
    2190 2196 
              FT_NEW( sfnt_stream )        )
    2191 2197 
           goto Exit;
    2192 2198
    2193 
    -    sfnt_header = sfnt;
    2194 
    -
    2195 
    -    WRITE_ULONG( sfnt_header, woff2.flavor );
    2196 
    -
    2197 
    -    if ( woff2.num_tables )
    2198 2199 
         {
    2199 
    -      FT_UInt  searchRange, entrySelector, rangeShift, x;
    2200 
    +      FT_UInt   searchRange, entrySelector, rangeShift, x;
    2201 
    +      FT_Byte*  sfnt_header = sfnt;
    2200 2202
    2201 2203
    2202 2204 
           x             = woff2.num_tables;
    ... ... @@ -2211,6 +2213,7 @@
    2211 2213 
           searchRange = ( 1 << entrySelector ) * 16;
    2212 2214 
           rangeShift  = ( woff2.num_tables * 16 ) - searchRange;
    2213 2215
    2216 
    +      WRITE_ULONG( sfnt_header, woff2.flavor );
    2214 2217 
           WRITE_USHORT( sfnt_header, woff2.num_tables );
    2215 2218 
           WRITE_USHORT( sfnt_header, searchRange );
    2216 2219 
           WRITE_USHORT( sfnt_header, entrySelector );


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]