[truetype] Reject elements of composites with invalid glyph indices.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413 * src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
This commit is contained in:
parent
3c99016f8f
commit
3360ca5853
10
ChangeLog
10
ChangeLog
@ -1,3 +1,13 @@
|
||||
2018-05-22 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[truetype] Reject elements of composites with invalid glyph indices.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8413
|
||||
|
||||
* src/truetype/ttgload.c (TT_Load_Composite_Glyph): Implement it.
|
||||
|
||||
2018-05-22 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
* src/truetype/ttgload.c (TT_Load_Simple_Glyph): Trace # of points.
|
||||
|
@ -760,6 +760,18 @@
|
||||
#define FT_ADVANCES_H <freetype/ftadvanc.h>
|
||||
|
||||
|
||||
/*************************************************************************
|
||||
*
|
||||
* @macro:
|
||||
* FT_COLOR_H
|
||||
*
|
||||
* @description:
|
||||
* A macro used in #include statements to name the file containing the
|
||||
* FreeType~2 API which handles the OpenType CPAL table.
|
||||
*/
|
||||
#define FT_COLOR_H <freetype/ftcolor.h>
|
||||
|
||||
|
||||
/* */
|
||||
|
||||
/* These header files don't need to be included by the user. */
|
||||
|
@ -22,6 +22,7 @@
|
||||
|
||||
#include <ft2build.h>
|
||||
#include FT_FREETYPE_H
|
||||
#include FT_COLOR_H
|
||||
|
||||
#ifdef FREETYPE_H
|
||||
#error "freetype.h of FreeType 1 has been loaded!"
|
||||
@ -182,6 +183,43 @@ FT_BEGIN_HEADER
|
||||
FT_Int alignment );
|
||||
|
||||
|
||||
/*************************************************************************/
|
||||
/* */
|
||||
/* <Function> */
|
||||
/* FT_Bitmap_Blend */
|
||||
/* */
|
||||
/* <Description> */
|
||||
/* Blend a bitmap object from an `FT_GlyphSlot' structure onto a */
|
||||
/* bitmap in an `FT_Bitmap' structure, using a given color and */
|
||||
/* offset. */
|
||||
/* */
|
||||
/* <InOut> */
|
||||
/* target :: A handle to a bitmap object. Its type must be */
|
||||
/* @FT_PIXEL_MODE_BGRA. */
|
||||
/* */
|
||||
/* <Input> */
|
||||
/* source :: The glyph slot's source bitmap, which can have any */
|
||||
/* @FT_Pixel_Mode format. */
|
||||
/* */
|
||||
/* color :: The color used to draw `source' onto `target'. */
|
||||
/* */
|
||||
/* topleft :: A vector from the topleft corner of `source' to the */
|
||||
/* topleft corner of `target'. */
|
||||
/* */
|
||||
/* <Return> */
|
||||
/* FreeType error code. 0~means success. */
|
||||
/* */
|
||||
/* <Note> */
|
||||
/* This function reallocates the target bitmap if necessary; it */
|
||||
/* doesn't perform clipping. */
|
||||
/* */
|
||||
FT_EXPORT( FT_Error )
|
||||
FT_Bitmap_Blend( FT_Bitmap target,
|
||||
FT_GlyphSlot source,
|
||||
FT_Color color,
|
||||
FT_Vector topleft );
|
||||
|
||||
|
||||
/*************************************************************************/
|
||||
/* */
|
||||
/* <Function> */
|
||||
|
@ -561,9 +561,10 @@
|
||||
TT_Load_Composite_Glyph( TT_Loader loader )
|
||||
{
|
||||
FT_Error error;
|
||||
FT_Byte* p = loader->cursor;
|
||||
FT_Byte* limit = loader->limit;
|
||||
FT_GlyphLoader gloader = loader->gloader;
|
||||
FT_Byte* p = loader->cursor;
|
||||
FT_Byte* limit = loader->limit;
|
||||
FT_GlyphLoader gloader = loader->gloader;
|
||||
FT_Long num_glyphs = loader->face->root.num_glyphs;
|
||||
FT_SubGlyph subglyph;
|
||||
FT_UInt num_subglyphs;
|
||||
|
||||
@ -592,6 +593,11 @@
|
||||
subglyph->flags = FT_NEXT_USHORT( p );
|
||||
subglyph->index = FT_NEXT_USHORT( p );
|
||||
|
||||
/* we reject composites that have components */
|
||||
/* with invalid glyph indices */
|
||||
if ( subglyph->index >= num_glyphs )
|
||||
goto Invalid_Composite;
|
||||
|
||||
/* check space */
|
||||
count = 2;
|
||||
if ( subglyph->flags & ARGS_ARE_WORDS )
|
||||
|
Loading…
Reference in New Issue
Block a user