diff options
| author | Werner Lemberg <wl@gnu.org> | 2020-02-22 18:30:46 +0100 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2020-02-22 18:30:46 +0100 |
| commit | fa147af4a5255bf9017c9b004f7abd1d5e72f497 (patch) | |
| tree | 42ad6640696dd5643cfe8b47a627426334d59fb8 | |
| parent | 6e49dff0052a73faaea13dd8bdf6f0724539db07 (diff) | |
| download | freetype2-fa147af4a5255bf9017c9b004f7abd1d5e72f497.tar.gz | |
[woff2] Fix font table access.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778
* src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of
`head' table, which might not have been processed yet.
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | src/sfnt/sfwoff2.c | 16 |
2 files changed, 24 insertions, 3 deletions
@@ -1,3 +1,14 @@ +2020-02-22 Werner Lemberg <wl@gnu.org> + + [woff2] Fix font table access. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778 + + * src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of + `head' table, which might not have been processed yet. + 2020-02-21 Werner Lemberg <wl@gnu.org> [psaux] Make `t1_decoder_parse_metrics' handle `op_div' (#57519). diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c index 36365add6..fe3fbe8f6 100644 --- a/src/sfnt/sfwoff2.c +++ b/src/sfnt/sfwoff2.c @@ -1268,8 +1268,11 @@ FT_Error error = FT_Err_Ok; FT_ULong offset_size; + /* At this point of time those tables might not have been read yet. */ const WOFF2_Table maxp_table = find_table( tables, num_tables, TTAG_maxp ); + const WOFF2_Table head_table = find_table( tables, num_tables, + TTAG_head ); if ( !maxp_table ) @@ -1278,6 +1281,12 @@ return FT_THROW( Invalid_Table ); } + if ( !head_table ) + { + FT_ERROR(( "`head' table is missing.\n" )); + return FT_THROW( Invalid_Table ); + } + /* Read `numGlyphs' field from `maxp' table. */ if ( FT_STREAM_SEEK( maxp_table->src_offset ) && FT_STREAM_SKIP( 8 ) ) return error; @@ -1288,8 +1297,8 @@ info->num_glyphs = num_glyphs; /* Read `indexToLocFormat' field from `head' table. */ - if ( FT_STREAM_SEEK( info->head_table->src_offset ) && - FT_STREAM_SKIP( 50 ) ) + if ( FT_STREAM_SEEK( head_table->src_offset ) && + FT_STREAM_SKIP( 50 ) ) return error; if ( FT_READ_USHORT( index_format ) ) @@ -2145,7 +2154,8 @@ #ifdef FT_DEBUG_LEVEL_TRACE if ( sfnt_size != woff2.totalSfntSize ) - FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n", + FT_TRACE4(( "adjusting estimate of uncompressed font size" + " to %lu bytes\n", sfnt_size )); #endif } |