From 2c2e6403b7c16cd1e3b20d18acdc935898eee040 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 3 Jun 2017 07:38:11 +0200 Subject: [PATCH] [bdf] Synchronize sanity checks with pcf driver. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2054 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2058 * src/bdf/bdfdrivr.c (BDF_Face_Init): Check font ascent and descent. Check AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE, RESOLUTION_X, and RESOLUTION_Y properties. --- ChangeLog | 13 ++++++ src/bdf/bdfdrivr.c | 108 ++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 111 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 83a239af1..0bf03f3ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +2017-06-03 Werner Lemberg + + [bdf] Synchronize sanity checks with pcf driver. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2054 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2058 + + * src/bdf/bdfdrivr.c (BDF_Face_Init): Check font ascent and descent. + Check AVERAGE_WIDTH, POINT_SIZE, PIXEL_SIZE, RESOLUTION_X, and + RESOLUTION_Y properties. + 2017-06-03 Werner Lemberg [cff, truetype] Integer overflows. diff --git a/src/bdf/bdfdrivr.c b/src/bdf/bdfdrivr.c index 540d367c6..c7b9b4111 100644 --- a/src/bdf/bdfdrivr.c +++ b/src/bdf/bdfdrivr.c @@ -373,7 +373,7 @@ THE SOFTWARE. /* we have a bdf font: let's construct the face object */ face->bdffont = font; - /* BDF could not have multiple face in single font file. + /* BDF cannot have multiple faces in a single font file. * XXX: non-zero face_index is already invalid argument, but * Type1, Type42 driver has a convention to return * an invalid argument error when the font could be @@ -441,42 +441,130 @@ THE SOFTWARE. FT_ZERO( bsize ); + /* sanity checks */ + if ( FT_ABS( font->font_ascent ) > 0x7FFF ) + { + font->font_ascent = font->font_ascent < 0 ? -0x7FFF : 0x7FFF; + FT_TRACE0(( "BDF_Face_Init: clamping font ascent to value %d\n", + font->font_ascent )); + } + if ( FT_ABS( font->font_descent ) > 0x7FFF ) + { + font->font_descent = font->font_descent < 0 ? -0x7FFF : 0x7FFF; + FT_TRACE0(( "BDF_Face_Init: clamping font descent to value %d\n", + font->font_descent )); + } + bsize->height = (FT_Short)( font->font_ascent + font->font_descent ); prop = bdf_get_font_property( font, "AVERAGE_WIDTH" ); if ( prop ) - bsize->width = (FT_Short)( ( prop->value.l + 5 ) / 10 ); + { +#ifdef FT_DEBUG_LEVEL_TRACE + if ( prop->value.l < 0 ) + FT_TRACE0(( "BDF_Face_Init: negative average width\n" )); +#endif + if ( ( FT_ABS( prop->value.l ) > 0x7FFFL * 10 - 5 ) ) + { + bsize->width = 0x7FFF; + FT_TRACE0(( "BDF_Face_Init: clamping average width to value %d\n", + bsize->width )); + } + else + bsize->width = FT_ABS( (FT_Short)( ( prop->value.l + 5 ) / 10 ) ); + } else - bsize->width = (FT_Short)( bsize->height * 2/3 ); + { + /* this is a heuristical value */ + bsize->width = (FT_Short)FT_MulDiv( bsize->height, 2, 3 ); + } prop = bdf_get_font_property( font, "POINT_SIZE" ); if ( prop ) + { +#ifdef FT_DEBUG_LEVEL_TRACE + if ( prop->value.l < 0 ) + FT_TRACE0(( "BDF_Face_Init: negative point size\n" )); +#endif /* convert from 722.7 decipoints to 72 points per inch */ - bsize->size = - (FT_Pos)( ( prop->value.l * 64 * 7200 + 36135L ) / 72270L ); + if ( FT_ABS( prop->value.l ) > 0x504C2L ) /* 0x7FFF * 72270/7200 */ + { + bsize->size = 0x7FFF; + FT_TRACE0(( "BDF_Face_Init: clamping point size to value %d\n", + bsize->size )); + } + else + bsize->size = FT_MulDiv( FT_ABS( prop->value.l ), + 64 * 7200, + 72270L ); + } else + { + /* this is a heuristical value */ bsize->size = bsize->width * 64; + } prop = bdf_get_font_property( font, "PIXEL_SIZE" ); if ( prop ) - bsize->y_ppem = (FT_Short)prop->value.l * 64; + { +#ifdef FT_DEBUG_LEVEL_TRACE + if ( prop->value.l < 0 ) + FT_TRACE0(( "BDF_Face_Init: negative pixel size\n" )); +#endif + if ( FT_ABS( prop->value.l ) > 0x7FFF ) + { + bsize->y_ppem = 0x7FFF << 6; + FT_TRACE0(( "BDF_Face_Init: clamping pixel size to value %d\n", + bsize->y_ppem )); + } + else + bsize->y_ppem = FT_ABS( (FT_Short)prop->value.l ) << 6; + } prop = bdf_get_font_property( font, "RESOLUTION_X" ); if ( prop ) - resolution_x = (FT_Short)prop->value.l; + { +#ifdef FT_DEBUG_LEVEL_TRACE + if ( prop->value.l < 0 ) + FT_TRACE0(( "BDF_Face_Init: negative X resolution\n" )); +#endif + if ( FT_ABS( prop->value.l ) > 0x7FFF ) + { + resolution_x = 0x7FFF; + FT_TRACE0(( "BDF_Face_Init: clamping X resolution to value %d\n", + resolution_x )); + } + else + resolution_x = FT_ABS( (FT_Short)prop->value.l ); + } prop = bdf_get_font_property( font, "RESOLUTION_Y" ); if ( prop ) - resolution_y = (FT_Short)prop->value.l; + { +#ifdef FT_DEBUG_LEVEL_TRACE + if ( prop->value.l < 0 ) + FT_TRACE0(( "BDF_Face_Init: negative Y resolution\n" )); +#endif + if ( FT_ABS( prop->value.l ) > 0x7FFF ) + { + resolution_y = 0x7FFF; + FT_TRACE0(( "BDF_Face_Init: clamping Y resolution to value %d\n", + resolution_y )); + } + else + resolution_y = FT_ABS( (FT_Short)prop->value.l ); + } if ( bsize->y_ppem == 0 ) { bsize->y_ppem = bsize->size; if ( resolution_y ) - bsize->y_ppem = bsize->y_ppem * resolution_y / 72; + bsize->y_ppem = FT_MulDiv( bsize->y_ppem, resolution_y, 72 ); } if ( resolution_x && resolution_y ) - bsize->x_ppem = bsize->y_ppem * resolution_x / resolution_y; + bsize->x_ppem = FT_MulDiv( bsize->y_ppem, + resolution_x, + resolution_y ); else bsize->x_ppem = bsize->y_ppem; }