[cff] Fix segv.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9864

* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
<cff_op_random> [CFF_CONFIG_OPTION_OLD_ENGINE]: Use top dict's
`random' field directly if parsing dictionaries.
This commit is contained in:
Werner Lemberg 2018-08-14 02:02:26 +02:00
parent f5fe6e2f17
commit 757bdf1aef
2 changed files with 24 additions and 8 deletions

@ -1,3 +1,15 @@
2018-08-14 Werner Lemberg <wl@gnu.org>
[cff] Fix segv.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9864
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
<cff_op_random> [CFF_CONFIG_OPTION_OLD_ENGINE]: Use top dict's
`random' field directly if parsing dictionaries.
2018-08-13 Alexei Podtelezhnikov <apodtele@gmail.com>
[bdf] Use unsigned types.

@ -1712,16 +1712,20 @@
break;
case cff_op_random:
FT_TRACE4(( " random\n" ));
{
FT_UInt32* randval = in_dict ? &decoder->cff->top_font.random
: &decoder->current_subfont->random;
/* only use the lower 16 bits of `random' */
/* to generate a number in the range (0;1] */
args[0] = (FT_Fixed)
( ( decoder->current_subfont->random & 0xFFFF ) + 1 );
args++;
decoder->current_subfont->random =
cff_random( decoder->current_subfont->random );
FT_TRACE4(( " random\n" ));
/* only use the lower 16 bits of `random' */
/* to generate a number in the range (0;1] */
args[0] = (FT_Fixed)( ( *randval & 0xFFFF ) + 1 );
args++;
*randval = cff_random( *randval );
}
break;
case cff_op_mul: