Avoid more nullptr offset UBSan warnings (#57316).

* src/base/ftoutln.c (FT_Outline_Transform): Bail on empty points. * src/cff/cffload.c (cff_subfont_load): Use `FT_OFFSET'. * src/psaux/psft.c (cf2_decoder_parse_substrings): Early out if `charstring_base' or `charstring_len' are null. * src/sfnt/ttload.c (tt_face_load_name): Use `FT_OFFSET'.
2019-11-27 11:38:45 -05:00 · 2019-11-27 11:38:45 -05:00 · 4270e9f324
commit 4270e9f324
parent d4f9c24989
5 changed files with 17 additions and 4 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2019-11-29  Dominik Röttsches  <drott@chromium.org>
+
+	Avoid more nullptr offset UBSan warnings (#57316).
+
+	* src/base/ftoutln.c (FT_Outline_Transform): Bail on empty points.
+	* src/cff/cffload.c (cff_subfont_load): Use `FT_OFFSET'.
+	* src/psaux/psft.c (cf2_decoder_parse_substrings): Early out if
+	`charstring_base' or `charstring_len' are null.
+	* src/sfnt/ttload.c (tt_face_load_name): Use `FT_OFFSET'.
+
 2019-11-23  John Stracke  <jstracke@Google.com>

 	[base] Really fix #57194.
--- a/src/base/ftoutln.c
+++ b/src/base/ftoutln.c
@ -711,7 +711,7 @@
    FT_Vector*  limit;


-    if ( !outline || !matrix )
+    if ( !outline || !matrix || !outline->points )
      return;

    vec   = outline->points;
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@ -2057,7 +2057,7 @@
    if ( !error )
    {
      FT_TRACE4(( " top dictionary:\n" ));
-      error = cff_parser_run( &parser, dict, dict + dict_len );
+      error = cff_parser_run( &parser, dict, FT_OFFSET( dict, dict_len ) );
    }

    /* clean up regardless of error */
--- a/src/psaux/psft.c
+++ b/src/psaux/psft.c
@ -313,9 +313,12 @@
    FT_Error   error = FT_Err_Ok;
    CF2_Font   font;

-    FT_Bool    is_t1 = decoder->builder.is_t1;
+    FT_Bool  is_t1 = decoder->builder.is_t1;


+    if ( !charstring_base || !charstring_len )
+      return FT_ERR( Invalid_File_Format );
+
    FT_ASSERT( decoder &&
               ( is_t1 || decoder->cff ) );

--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@ -924,7 +924,7 @@
      /* load language tags */
      {
        TT_LangTag  entry = table->langTags;
-        TT_LangTag  limit = entry + table->numLangTagRecords;
+        TT_LangTag  limit = FT_OFFSET( entry, table->numLangTagRecords );


        for ( ; entry < limit; entry++ )