[pcf] Protect against gzip bombs.

Fix suggested by Kostya; reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=345 * src/pcf/pcfread.c (pcf_read_TOC): Limit number of TOC entries to 1024.
2016-12-29 06:03:40 +01:00 · 2016-12-29 06:03:40 +01:00 · 346b141762
parent 6fb549ddab
commit 346b141762
2 changed files with 20 additions and 4 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2016-12-29  Werner Lemberg  <wl@gnu.org>
+
+	[pcf] Protect against gzip bombs.
+
+	Fix suggested by Kostya; reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=345
+
+	* src/pcf/pcfread.c (pcf_read_TOC): Limit number of TOC entries to
+	1024.
+
 2016-12-28  Werner Lemberg  <wl@gnu.org>

 	[psnames] Only declare, not define, data in `pstables.h' (#49949).
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@ -109,13 +109,18 @@ THE SOFTWARE.
    if ( stream->size < 16 )
      return FT_THROW( Invalid_File_Format );

-    /* we need 16 bytes per TOC entry */
-    if ( toc->count > stream->size >> 4 )
+    /* We need 16 bytes per TOC entry.  Additionally, as a */
+    /* heuristic protection against gzip bombs (i.e., very */
+    /* small input files that expand to insanely large     */
+    /* files), we limit the number of TOC entries to 1024. */
+    if ( toc->count > stream->size >> 4 ||
+         toc->count > 1024              )
    {
      FT_TRACE0(( "pcf_read_TOC: adjusting number of tables"
                  " (from %d to %d)\n",
-                  toc->count, stream->size >> 4 ));
-      toc->count = stream->size >> 4;
+                  toc->count,
+                  FT_MIN( stream->size >> 4, 1024 ) ));
+      toc->count = FT_MIN( stream->size >> 4, 1024 );
    }

    if ( FT_NEW_ARRAY( face->toc.tables, toc->count ) )