From a18788b14db60ae3673f932249cd02d33a227c4e Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Fri, 20 Mar 2009 08:03:58 +0100 Subject: [PATCH 1/2] Fix validation for various cmap table formats. * src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, tt_cmap12_validate): Check `length' correctly. (tt_cmap_14_validate): Check `length' and `numMappings' correctly. --- src/sfnt/ttcmap.c | 13 ++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 6830391..1bd2ce7 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -1635,7 +1635,7 @@ FT_INVALID_TOO_SHORT; length = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 8208 ) + if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) FT_INVALID_TOO_SHORT; is32 = table + 12; @@ -1863,7 +1863,8 @@ p = table + 16; count = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 20 + count * 2 ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 20 + count * 2 ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -2048,7 +2049,8 @@ p = table + 12; num_groups = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 16 + 12 * num_groups ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 16 + 12 * num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2429,7 +2431,8 @@ FT_ULong num_selectors = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 10 + 11 * num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@ -2491,7 +2494,7 @@ FT_ULong i, lastUni = 0; - if ( ndp + numMappings * 4 > valid->limit ) + if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) -- 1.6.1.3.GIT From 79972af4f0485a11dcb19551356c45245749fc5b Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Fri, 20 Mar 2009 08:21:37 +0100 Subject: [PATCH 2/2] Protect against too large glyphs. Problem reported by Tavis Ormandy . * src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow `width' or `pitch' to be larger than 0xFFFF. --- src/smooth/ftsmooth.c | 9 ++++++++- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c index a6db504..cacc490 100644 --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -153,7 +153,7 @@ slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; } - /* allocate new one, depends on pixel format */ + /* allocate new one */ pitch = width; if ( hmul ) { @@ -194,6 +194,13 @@ #endif + if ( pitch > 0xFFFF || height > 0xFFFF ) + { + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", + width, height )); + return Smooth_Err_Raster_Overflow; + } + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; bitmap->num_grays = 256; bitmap->width = width; -- 1.6.1.3.GIT