[psaux] Fix segfault.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_callothersubr> [CFF_CONFIG_OPTION_OLD_ENGINE]: Check argument.
This commit is contained in:
parent
6b660f1215
commit
d280ae1e8c
14
ChangeLog
14
ChangeLog
@ -1,10 +1,22 @@
|
||||
2018-10-02 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[psaux] Fix segfault.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768
|
||||
|
||||
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
|
||||
<cff_op_callothersubr> [CFF_CONFIG_OPTION_OLD_ENGINE]: Check
|
||||
argument.
|
||||
|
||||
2018-10-02 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[psaux] Fix numeric overflow.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10740
|
||||
|
||||
* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_roll>
|
||||
[CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT.
|
||||
|
@ -2027,20 +2027,31 @@
|
||||
break;
|
||||
|
||||
case cff_op_callothersubr:
|
||||
/* this is an invalid Type 2 operator; however, there */
|
||||
/* exist fonts which are incorrectly converted from probably */
|
||||
/* Type 1 to CFF, and some parsers seem to accept it */
|
||||
{
|
||||
FT_Fixed arg;
|
||||
|
||||
FT_TRACE4(( " callothersubr (invalid op)\n" ));
|
||||
|
||||
/* subsequent `pop' operands should add the arguments, */
|
||||
/* this is the implementation described for `unknown' other */
|
||||
/* subroutines in the Type1 spec. */
|
||||
/* */
|
||||
/* XXX Fix return arguments (see discussion below). */
|
||||
args -= 2 + ( args[-2] >> 16 );
|
||||
if ( args < stack )
|
||||
goto Stack_Underflow;
|
||||
/* this is an invalid Type 2 operator; however, there */
|
||||
/* exist fonts which are incorrectly converted from */
|
||||
/* probably Type 1 to CFF, and some parsers seem to accept */
|
||||
/* it */
|
||||
|
||||
FT_TRACE4(( " callothersubr (invalid op)\n" ));
|
||||
|
||||
/* subsequent `pop' operands should add the arguments, */
|
||||
/* this is the implementation described for `unknown' */
|
||||
/* other subroutines in the Type1 spec. */
|
||||
/* */
|
||||
/* XXX Fix return arguments (see discussion below). */
|
||||
|
||||
arg = 2 + ( args[-2] >> 16 );
|
||||
if ( arg >= CFF_MAX_OPERANDS )
|
||||
goto Stack_Underflow;
|
||||
|
||||
args -= arg;
|
||||
if ( args < stack )
|
||||
goto Stack_Underflow;
|
||||
}
|
||||
break;
|
||||
|
||||
case cff_op_pop:
|
||||
|
Loading…
Reference in New Issue
Block a user