mirrors/freetype
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[type1] Avoid segfaults with `FT_Get_PS_Font_Value'.

Browse Source 
Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610

* src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
This commit is contained in:
Werner Lemberg 2018-07-28 22:23:16 +02:00
parent c9edca8ee9
commit 6e44d78cc1
2 changed files with 48 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
2018-07-28 Werner Lemberg <wl@gnu.org>
[type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9610
* src/type1/t1driver.c (t1_ps_get_font_value): Protect against NULL.
2018-07-27 Werner Lemberg <wl@gnu.org>
[truetype] Make `TT_Set_MM_Blend' idempotent (#54388).

57
src/type1/t1driver.c
View File

@ -270,9 +270,12 @@
break;
case PS_DICT_FONT_NAME:
retval = ft_strlen( type1->font_name ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_name ), retval );
if ( type1->font_name )
{
retval = ft_strlen( type1->font_name ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_name ), retval );
}
break;
case PS_DICT_UNIQUE_ID:
@ -362,7 +365,7 @@
ok = 1;
}
if ( ok )
if ( ok && type1->subrs )
{
retval = type1->subrs_len[idx] + 1;
if ( value && value_len >= retval )
@ -559,33 +562,49 @@
break;
case PS_DICT_VERSION:
retval = ft_strlen( type1->font_info.version ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.version ), retval );
if ( type1->font_info.version )
{
retval = ft_strlen( type1->font_info.version ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.version ), retval );
}
break;
case PS_DICT_NOTICE:
retval = ft_strlen( type1->font_info.notice ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
if ( type1->font_info.notice )
{
retval = ft_strlen( type1->font_info.notice ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.notice ), retval );
}
break;
case PS_DICT_FULL_NAME:
retval = ft_strlen( type1->font_info.full_name ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
if ( type1->font_info.full_name )
{
retval = ft_strlen( type1->font_info.full_name ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.full_name ), retval );
}
break;
case PS_DICT_FAMILY_NAME:
retval = ft_strlen( type1->font_info.family_name ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.family_name ), retval );
if ( type1->font_info.family_name )
{
retval = ft_strlen( type1->font_info.family_name ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.family_name ),
retval );
}
break;
case PS_DICT_WEIGHT:
retval = ft_strlen( type1->font_info.weight ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
if ( type1->font_info.weight )
{
retval = ft_strlen( type1->font_info.weight ) + 1;
if ( value && value_len >= retval )
ft_memcpy( value, (void *)( type1->font_info.weight ), retval );
}
break;
case PS_DICT_ITALIC_ANGLE: