diff options
| author | Ben Wagner <bungeman@chromium.org> | 2021-10-20 11:38:16 -0400 |
|---|---|---|
| committer | Alexei Podtelezhnikov <apodtele@gmail.com> | 2021-10-20 11:38:16 -0400 |
| commit | 6d12e3a0caf7e6c730972cadfdee758b2908ba9c (patch) | |
| tree | 524e5eae667a92ecadff6bfdc0a3c2348242c67c /src | |
| parent | e990c33f218dc7ca619444e17b0bf5085b4b727c (diff) | |
| download | freetype2-6d12e3a0caf7e6c730972cadfdee758b2908ba9c.tar.gz | |
[sfnt] Delay setting names and langTags until computed.
Previously, the table->names and table->langTags fields were created
pointing to uninitialized memory and an early exit could happen if the
frame could not be entered. The caller would then be unable to properly
dispose of the memory as the string fields had not been initialized.
Reported as
https://bugs.chromium.org/p/chromium/issues/detail?id=1261343
* src/sfnt/ttload.c (tt_face_load_name): delay setting table->langTags
and table->names until after the memory they will point to is fully
initialized.
Diffstat (limited to 'src')
| -rw-r--r-- | src/sfnt/ttload.c | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index e07e39279..e83e3ff2d 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -837,6 +837,8 @@ FT_ULong table_pos, table_len; FT_ULong storage_start, storage_limit; TT_NameTable table; + TT_Name names = NULL; + TT_LangTag langTags = NULL; static const FT_Frame_Field name_table_fields[] = { @@ -917,13 +919,13 @@ storage_start += 2 + 4 * table->numLangTagRecords; /* allocate language tag records array */ - if ( FT_QNEW_ARRAY( table->langTags, table->numLangTagRecords ) || - FT_FRAME_ENTER( table->numLangTagRecords * 4 ) ) + if ( FT_QNEW_ARRAY( langTags, table->numLangTagRecords ) || + FT_FRAME_ENTER( table->numLangTagRecords * 4 ) ) goto Exit; /* load language tags */ { - TT_LangTag entry = table->langTags; + TT_LangTag entry = langTags; TT_LangTag limit = FT_OFFSET( entry, table->numLangTagRecords ); @@ -943,6 +945,9 @@ /* mark the string as not yet loaded */ entry->string = NULL; } + + table->langTags = langTags; + langTags = NULL; } FT_FRAME_EXIT(); @@ -951,13 +956,13 @@ } /* allocate name records array */ - if ( FT_QNEW_ARRAY( table->names, table->numNameRecords ) || - FT_FRAME_ENTER( table->numNameRecords * 12 ) ) + if ( FT_QNEW_ARRAY( names, table->numNameRecords ) || + FT_FRAME_ENTER( table->numNameRecords * 12 ) ) goto Exit; /* load name records */ { - TT_Name entry = table->names; + TT_Name entry = names; FT_UInt count = table->numNameRecords; FT_UInt valid = 0; @@ -1000,9 +1005,11 @@ } /* reduce array size to the actually used elements */ - FT_MEM_QRENEW_ARRAY( table->names, + FT_MEM_QRENEW_ARRAY( names, table->numNameRecords, valid ); + table->names = names; + names = NULL; table->numNameRecords = valid; } @@ -1012,6 +1019,8 @@ face->num_names = (FT_UShort)table->numNameRecords; Exit: + FT_FREE( names ); + FT_FREE( langTags ); return error; } |