[truetype] Better protection against invalid VF data.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5739 Bug introduced in commit 08cd62deed. * src/truetype/ttgxvar.c (TT_Set_Var_Design): Always initialize `normalizedcoords'.
2018-01-27 23:59:30 +01:00 · 2018-01-27 23:59:30 +01:00 · 68dddcdcbe
commit 68dddcdcbe
parent 29c759284e
2 changed files with 16 additions and 2 deletions
--- a/13
+++ b/13
@ -1,3 +1,16 @@
+2018-01-27  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Better protection against invalid VF data.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5739
+
+	Bug introduced in commit 08cd62deedefe217f2ea50e392923ce8b5bc7ac7.
+
+	* src/truetype/ttgxvar.c (TT_Set_Var_Design): Always initialize
+	`normalizedcoords'.
+
 2018-01-27  Werner Lemberg  <wl@gnu.org>

 	* src/truetype/ttinterp.c (Ins_GETVARIATION): Avoid NULL reference.
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@ -2821,8 +2821,9 @@
      }
    }

-    /* return value -1 indicates `no change' */
-    if ( !have_diff )
+    /* return value -1 indicates `no change';                      */
+    /* we can exit early if `normalizedcoords' is already computed */
+    if ( blend->normalizedcoords && !have_diff )
      return -1;

    if ( FT_NEW_ARRAY( normalized, mmvar->num_axis ) )