[truetype] Some fixes for VF checks.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10317

* src/truetype/ttgxvar.c (ft_var_load_gvar): Properly exit memory
frame if we have invalid glyph variation data offsets.
(tt_face_vary_cvt): Protect against missing `tuplecoords' array.
Fix typo.
This commit is contained in:
Werner Lemberg 2018-09-13 21:47:35 +02:00
parent 7665914ccd
commit 10e54d04b9
2 changed files with 31 additions and 7 deletions

@ -1,3 +1,16 @@
2018-09-13 Werner Lemberg <wl@gnu.org>
[truetype] Some fixes for VF checks.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10317
* src/truetype/ttgxvar.c (ft_var_load_gvar): Properly exit memory
frame if we have invalid glyph variation data offsets.
(tt_face_vary_cvt): Protect against missing `tuplecoords' array.
Fix typo.
2018-09-13 Werner Lemberg <wl@gnu.org>
* src/sfnt/sfdriver.c (sfnt_get_var_ps_name): Fix last commit.

@ -1548,11 +1548,9 @@
" invalid glyph variation data offset for index %d\n",
i ));
error = FT_THROW( Invalid_Table );
goto Exit;
break;
}
}
FT_FRAME_EXIT();
}
else
{
@ -1573,13 +1571,15 @@
" invalid glyph variation data offset for index %d\n",
i ));
error = FT_THROW( Invalid_Table );
goto Exit;
break;
}
}
FT_FRAME_EXIT();
}
FT_FRAME_EXIT();
if ( error )
goto Exit;
if ( blend->tuplecount != 0 )
{
if ( FT_NEW_ARRAY( blend->tuplecoords,
@ -3263,13 +3263,24 @@
" invalid tuple index\n" ));
error = FT_THROW( Invalid_Table );
goto Exit;
goto FExit;
}
else
{
if ( !blend->tuplecoords )
{
FT_TRACE2(( "tt_face_vary_cvt:"
" no valid tuple coordinates available\n" ));
error = FT_THROW( Invalid_Table );
goto FExit;
}
FT_MEM_COPY(
tuple_coords,
&blend->tuplecoords[( tupleIndex & 0xFFF ) * blend->num_axis],
blend->num_axis * sizeof ( FT_Fixed ) );
}
if ( tupleIndex & GX_TI_INTERMEDIATE_TUPLE )
{