From fa147af4a5255bf9017c9b004f7abd1d5e72f497 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 22 Feb 2020 18:30:46 +0100
Subject: [woff2] Fix font table access.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778

* src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of
`head' table, which might not have been processed yet.
---
 ChangeLog          | 11 +++++++++++
 src/sfnt/sfwoff2.c | 16 +++++++++++++---
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 16a74566a..ad34231ad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2020-02-22  Werner Lemberg  <wl@gnu.org>
+
+	[woff2] Fix font table access.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778
+
+	* src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of
+	`head' table, which might not have been processed yet.
+
 2020-02-21  Werner Lemberg  <wl@gnu.org>
 
 	[psaux] Make `t1_decoder_parse_metrics' handle `op_div' (#57519).
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index 36365add6..fe3fbe8f6 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1268,8 +1268,11 @@
     FT_Error   error = FT_Err_Ok;
     FT_ULong   offset_size;
 
+    /* At this point of time those tables might not have been read yet. */
     const WOFF2_Table  maxp_table = find_table( tables, num_tables,
                                                 TTAG_maxp );
+    const WOFF2_Table  head_table = find_table( tables, num_tables,
+                                                TTAG_head );
 
 
     if ( !maxp_table )
@@ -1278,6 +1281,12 @@
       return FT_THROW( Invalid_Table );
     }
 
+    if ( !head_table )
+    {
+      FT_ERROR(( "`head' table is missing.\n" ));
+      return FT_THROW( Invalid_Table );
+    }
+
     /* Read `numGlyphs' field from `maxp' table. */
     if ( FT_STREAM_SEEK( maxp_table->src_offset ) && FT_STREAM_SKIP( 8 ) )
       return error;
@@ -1288,8 +1297,8 @@
     info->num_glyphs = num_glyphs;
 
     /* Read `indexToLocFormat' field from `head' table. */
-    if ( FT_STREAM_SEEK( info->head_table->src_offset ) &&
-         FT_STREAM_SKIP( 50 )                           )
+    if ( FT_STREAM_SEEK( head_table->src_offset ) &&
+         FT_STREAM_SKIP( 50 )                     )
       return error;
 
     if ( FT_READ_USHORT( index_format ) )
@@ -2145,7 +2154,8 @@
 
 #ifdef FT_DEBUG_LEVEL_TRACE
       if ( sfnt_size != woff2.totalSfntSize )
-        FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n",
+        FT_TRACE4(( "adjusting estimate of uncompressed font size"
+                    " to %lu bytes\n",
                     sfnt_size ));
 #endif
     }
-- 
cgit v1.2.1