[bdf] Synchronize sanity checks with pcf driver.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2054
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2058

* src/bdf/bdfdrivr.c (BDF_Face_Init): Check font ascent and descent.
Check AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE, RESOLUTION_X, and
RESOLUTION_Y properties.
This commit is contained in:
Werner Lemberg 2017-06-03 07:38:11 +02:00
parent 1ea343228d
commit 2c2e6403b7
2 changed files with 111 additions and 10 deletions

@ -1,3 +1,16 @@
2017-06-03 Werner Lemberg <wl@gnu.org>
[bdf] Synchronize sanity checks with pcf driver.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2054
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2058
* src/bdf/bdfdrivr.c (BDF_Face_Init): Check font ascent and descent.
Check AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE, RESOLUTION_X, and
RESOLUTION_Y properties.
2017-06-03 Werner Lemberg <wl@gnu.org>
[cff, truetype] Integer overflows.

@ -373,7 +373,7 @@ THE SOFTWARE.
/* we have a bdf font: let's construct the face object */
face->bdffont = font;
/* BDF could not have multiple face in single font file.
/* BDF cannot have multiple faces in a single font file.
* XXX: non-zero face_index is already invalid argument, but
* Type1, Type42 driver has a convention to return
* an invalid argument error when the font could be
@ -441,42 +441,130 @@ THE SOFTWARE.
FT_ZERO( bsize );
/* sanity checks */
if ( FT_ABS( font->font_ascent ) > 0x7FFF )
{
font->font_ascent = font->font_ascent < 0 ? -0x7FFF : 0x7FFF;
FT_TRACE0(( "BDF_Face_Init: clamping font ascent to value %d\n",
font->font_ascent ));
}
if ( FT_ABS( font->font_descent ) > 0x7FFF )
{
font->font_descent = font->font_descent < 0 ? -0x7FFF : 0x7FFF;
FT_TRACE0(( "BDF_Face_Init: clamping font descent to value %d\n",
font->font_descent ));
}
bsize->height = (FT_Short)( font->font_ascent + font->font_descent );
prop = bdf_get_font_property( font, "AVERAGE_WIDTH" );
if ( prop )
bsize->width = (FT_Short)( ( prop->value.l + 5 ) / 10 );
{
#ifdef FT_DEBUG_LEVEL_TRACE
if ( prop->value.l < 0 )
FT_TRACE0(( "BDF_Face_Init: negative average width\n" ));
#endif
if ( ( FT_ABS( prop->value.l ) > 0x7FFFL * 10 - 5 ) )
{
bsize->width = 0x7FFF;
FT_TRACE0(( "BDF_Face_Init: clamping average width to value %d\n",
bsize->width ));
}
else
bsize->width = FT_ABS( (FT_Short)( ( prop->value.l + 5 ) / 10 ) );
}
else
bsize->width = (FT_Short)( bsize->height * 2/3 );
{
/* this is a heuristical value */
bsize->width = (FT_Short)FT_MulDiv( bsize->height, 2, 3 );
}
prop = bdf_get_font_property( font, "POINT_SIZE" );
if ( prop )
{
#ifdef FT_DEBUG_LEVEL_TRACE
if ( prop->value.l < 0 )
FT_TRACE0(( "BDF_Face_Init: negative point size\n" ));
#endif
/* convert from 722.7 decipoints to 72 points per inch */
bsize->size =
(FT_Pos)( ( prop->value.l * 64 * 7200 + 36135L ) / 72270L );
if ( FT_ABS( prop->value.l ) > 0x504C2L ) /* 0x7FFF * 72270/7200 */
{
bsize->size = 0x7FFF;
FT_TRACE0(( "BDF_Face_Init: clamping point size to value %d\n",
bsize->size ));
}
else
bsize->size = FT_MulDiv( FT_ABS( prop->value.l ),
64 * 7200,
72270L );
}
else
{
/* this is a heuristical value */
bsize->size = bsize->width * 64;
}
prop = bdf_get_font_property( font, "PIXEL_SIZE" );
if ( prop )
bsize->y_ppem = (FT_Short)prop->value.l * 64;
{
#ifdef FT_DEBUG_LEVEL_TRACE
if ( prop->value.l < 0 )
FT_TRACE0(( "BDF_Face_Init: negative pixel size\n" ));
#endif
if ( FT_ABS( prop->value.l ) > 0x7FFF )
{
bsize->y_ppem = 0x7FFF << 6;
FT_TRACE0(( "BDF_Face_Init: clamping pixel size to value %d\n",
bsize->y_ppem ));
}
else
bsize->y_ppem = FT_ABS( (FT_Short)prop->value.l ) << 6;
}
prop = bdf_get_font_property( font, "RESOLUTION_X" );
if ( prop )
resolution_x = (FT_Short)prop->value.l;
{
#ifdef FT_DEBUG_LEVEL_TRACE
if ( prop->value.l < 0 )
FT_TRACE0(( "BDF_Face_Init: negative X resolution\n" ));
#endif
if ( FT_ABS( prop->value.l ) > 0x7FFF )
{
resolution_x = 0x7FFF;
FT_TRACE0(( "BDF_Face_Init: clamping X resolution to value %d\n",
resolution_x ));
}
else
resolution_x = FT_ABS( (FT_Short)prop->value.l );
}
prop = bdf_get_font_property( font, "RESOLUTION_Y" );
if ( prop )
resolution_y = (FT_Short)prop->value.l;
{
#ifdef FT_DEBUG_LEVEL_TRACE
if ( prop->value.l < 0 )
FT_TRACE0(( "BDF_Face_Init: negative Y resolution\n" ));
#endif
if ( FT_ABS( prop->value.l ) > 0x7FFF )
{
resolution_y = 0x7FFF;
FT_TRACE0(( "BDF_Face_Init: clamping Y resolution to value %d\n",
resolution_y ));
}
else
resolution_y = FT_ABS( (FT_Short)prop->value.l );
}
if ( bsize->y_ppem == 0 )
{
bsize->y_ppem = bsize->size;
if ( resolution_y )
bsize->y_ppem = bsize->y_ppem * resolution_y / 72;
bsize->y_ppem = FT_MulDiv( bsize->y_ppem, resolution_y, 72 );
}
if ( resolution_x && resolution_y )
bsize->x_ppem = bsize->y_ppem * resolution_x / resolution_y;
bsize->x_ppem = FT_MulDiv( bsize->y_ppem,
resolution_x,
resolution_y );
else
bsize->x_ppem = bsize->y_ppem;
}