| From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001 |
| From: Werner Lemberg <wl@gnu.org> |
| Date: Fri, 24 Mar 2017 09:15:10 +0100 |
| Subject: [PATCH] [psaux] Better protect `flex' handling. |
| |
| Reported as |
| |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 |
| |
| * src/psaux/t1decode.c (t1_decoder_parse_charstrings) |
| <callothersubr>: Since there is not a single flex operator but a |
| series of subroutine calls, malformed fonts can call arbitrary other |
| operators after the start of a flex, possibly adding points. For |
| this reason we have to check the available number of points before |
| inserting a point. |
| |
| Fixes CVE-2017-8105 |
| |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c |
| index af7b465e..7dd45135 100644 |
| --- a/src/psaux/t1decode.c |
| +++ b/src/psaux/t1decode.c |
| @@ -780,10 +780,19 @@ |
| /* point without adding any point to the outline */ |
| idx = decoder->num_flex_vectors++; |
| if ( idx > 0 && idx < 7 ) |
| + { |
| + /* in malformed fonts it is possible to have other */ |
| + /* opcodes in the middle of a flex (which don't */ |
| + /* increase `num_flex_vectors'); we thus have to */ |
| + /* check whether we can add a point */ |
| + if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) |
| + goto Syntax_Error; |
| + |
| t1_builder_add_point( builder, |
| x, |
| y, |
| (FT_Byte)( idx == 3 || idx == 6 ) ); |
| + } |
| } |
| break; |
| |
| -- |
| 2.11.0 |
| |
