diff options
author | Werner Lemberg <wl@gnu.org> | 2019-09-01 23:03:09 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2019-09-01 23:03:09 +0200 |
commit | 543a3b939df50e02e52b948f4c9c8ba63bf38059 (patch) | |
tree | 7c67805747eca864655fb9257194fef95e47a9b4 | |
parent | cbee985a2bc14750ff850192f9ee8c1efe2bd7c7 (diff) | |
download | freetype2-543a3b939df50e02e52b948f4c9c8ba63bf38059.tar.gz |
* src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.
Don't trust `totalSfntSize' unconditionally.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | src/sfnt/sfwoff2.c | 17 |
2 files changed, 26 insertions, 1 deletions
@@ -1,3 +1,13 @@ +2019-09-01 Werner Lemberg <wl@gnu.org> + + * src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check. + + Don't trust `totalSfntSize' unconditionally. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893 + 2019-08-27 Dominik Röttsches <drott@chromium.org> [woff2] Don't use `FT_UInt64' (#56815). diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c index a599ae505..6e2ff040f 100644 --- a/src/sfnt/sfwoff2.c +++ b/src/sfnt/sfwoff2.c @@ -2092,7 +2092,22 @@ /* This is what we normally expect. */ /* Initially trust `totalSfntSize' and change later as required. */ if ( woff2.totalSfntSize > sfnt_size ) - sfnt_size = woff2.totalSfntSize; + { + /* However, adjust the value to something reasonable. */ + + /* Factor 64 is heuristic. */ + if ( ( woff2.totalSfntSize >> 6 ) > sfnt_size ) + sfnt_size <<= 6; + else + sfnt_size = woff2.totalSfntSize; + + /* Value 1<<26 = 67108864 is heuristic. */ + if (sfnt_size >= (1 << 26)) + sfnt_size = 1 << 26; + + FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n", + sfnt_size )); + } /* Write sfnt header. */ if ( FT_ALLOC( sfnt, sfnt_size ) || |