[truetype] Reject elements of composites with invalid glyph indices.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413

* src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
This commit is contained in:
Werner Lemberg 2018-05-22 09:06:24 +02:00
parent 3c99016f8f
commit 3360ca5853
4 changed files with 69 additions and 3 deletions

@ -1,3 +1,13 @@
2018-05-22 Werner Lemberg <wl@gnu.org>
[truetype] Reject elements of composites with invalid glyph indices.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413
* src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
2018-05-22 Werner Lemberg <wl@gnu.org>
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Trace # of points.

@ -760,6 +760,18 @@
#define FT_ADVANCES_H <freetype/ftadvanc.h>
/*************************************************************************
*
* @macro:
* FT_COLOR_H
*
* @description:
* A macro used in #include statements to name the file containing the
* FreeType~2 API which handles the OpenType CPAL table.
*/
#define FT_COLOR_H <freetype/ftcolor.h>
/* */
/* These header files don't need to be included by the user. */

@ -22,6 +22,7 @@
#include <ft2build.h>
#include FT_FREETYPE_H
#include FT_COLOR_H
#ifdef FREETYPE_H
#error "freetype.h of FreeType 1 has been loaded!"
@ -182,6 +183,43 @@ FT_BEGIN_HEADER
FT_Int alignment );
/*************************************************************************/
/* */
/* <Function> */
/* FT_Bitmap_Blend */
/* */
/* <Description> */
/* Blend a bitmap object from an `FT_GlyphSlot' structure onto a */
/* bitmap in an `FT_Bitmap' structure, using a given color and */
/* offset. */
/* */
/* <InOut> */
/* target :: A handle to a bitmap object. Its type must be */
/* @FT_PIXEL_MODE_BGRA. */
/* */
/* <Input> */
/* source :: The glyph slot's source bitmap, which can have any */
/* @FT_Pixel_Mode format. */
/* */
/* color :: The color used to draw `source' onto `target'. */
/* */
/* topleft :: A vector from the topleft corner of `source' to the */
/* topleft corner of `target'. */
/* */
/* <Return> */
/* FreeType error code. 0~means success. */
/* */
/* <Note> */
/* This function reallocates the target bitmap if necessary; it */
/* doesn't perform clipping. */
/* */
FT_EXPORT( FT_Error )
FT_Bitmap_Blend( FT_Bitmap target,
FT_GlyphSlot source,
FT_Color color,
FT_Vector topleft );
/*************************************************************************/
/* */
/* <Function> */

@ -561,9 +561,10 @@
TT_Load_Composite_Glyph( TT_Loader loader )
{
FT_Error error;
FT_Byte* p = loader->cursor;
FT_Byte* limit = loader->limit;
FT_GlyphLoader gloader = loader->gloader;
FT_Byte* p = loader->cursor;
FT_Byte* limit = loader->limit;
FT_GlyphLoader gloader = loader->gloader;
FT_Long num_glyphs = loader->face->root.num_glyphs;
FT_SubGlyph subglyph;
FT_UInt num_subglyphs;
@ -592,6 +593,11 @@
subglyph->flags = FT_NEXT_USHORT( p );
subglyph->index = FT_NEXT_USHORT( p );
/* we reject composites that have components */
/* with invalid glyph indices */
if ( subglyph->index >= num_glyphs )
goto Invalid_Composite;
/* check space */
count = 2;
if ( subglyph->flags & ARGS_ARE_WORDS )