From d280ae1e8c707d2478a8f4ac2059f762cf58e6d8 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Tue, 2 Oct 2018 20:45:16 +0200 Subject: [PATCH] [psaux] Fix segfault. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) [CFF_CONFIG_OPTION_OLD_ENGINE]: Check argument. --- ChangeLog | 14 +++++++++++++- src/psaux/cffdecode.c | 35 +++++++++++++++++++++++------------ 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 123cc515f..c84c76044 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,22 @@ +2018-10-02 Werner Lemberg + + [psaux] Fix segfault. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 + + * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) + [CFF_CONFIG_OPTION_OLD_ENGINE]: Check + argument. + 2018-10-02 Werner Lemberg [psaux] Fix numeric overflow. Reported as - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10768 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10740 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) [CFF_CONFIG_OPTION_OLD_ENGINE]: Use NEG_INT. diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c index b90a82853..58a516fb2 100644 --- a/src/psaux/cffdecode.c +++ b/src/psaux/cffdecode.c @@ -2027,20 +2027,31 @@ break; case cff_op_callothersubr: - /* this is an invalid Type 2 operator; however, there */ - /* exist fonts which are incorrectly converted from probably */ - /* Type 1 to CFF, and some parsers seem to accept it */ + { + FT_Fixed arg; - FT_TRACE4(( " callothersubr (invalid op)\n" )); - /* subsequent `pop' operands should add the arguments, */ - /* this is the implementation described for `unknown' other */ - /* subroutines in the Type1 spec. */ - /* */ - /* XXX Fix return arguments (see discussion below). */ - args -= 2 + ( args[-2] >> 16 ); - if ( args < stack ) - goto Stack_Underflow; + /* this is an invalid Type 2 operator; however, there */ + /* exist fonts which are incorrectly converted from */ + /* probably Type 1 to CFF, and some parsers seem to accept */ + /* it */ + + FT_TRACE4(( " callothersubr (invalid op)\n" )); + + /* subsequent `pop' operands should add the arguments, */ + /* this is the implementation described for `unknown' */ + /* other subroutines in the Type1 spec. */ + /* */ + /* XXX Fix return arguments (see discussion below). */ + + arg = 2 + ( args[-2] >> 16 ); + if ( arg >= CFF_MAX_OPERANDS ) + goto Stack_Underflow; + + args -= arg; + if ( args < stack ) + goto Stack_Underflow; + } break; case cff_op_pop: