|
 |
43e195 |
From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001
|
|
|
43e195 |
From: Werner Lemberg <wl@gnu.org>
|
|
|
43e195 |
Date: Wed, 12 Nov 2014 19:51:20 +0000
|
|
|
43e195 |
Subject: [sfnt] Fix Savannah bug #43588.
|
|
|
43e195 |
|
|
|
43e195 |
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
|
|
|
43e195 |
tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
|
|
|
43e195 |
against overflow in additions and multiplications.
|
|
|
43e195 |
---
|
|
|
43e195 |
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
|
|
|
43e195 |
index f9acf5d..712bd4f 100644
|
|
|
43e195 |
--- a/src/sfnt/ttcmap.c
|
|
|
43e195 |
+++ b/src/sfnt/ttcmap.c
|
|
|
43e195 |
@@ -1647,7 +1647,8 @@
|
|
|
43e195 |
p = is32 + 8192; /* skip `is32' array */
|
|
|
43e195 |
num_groups = TT_NEXT_ULONG( p );
|
|
|
43e195 |
|
|
|
43e195 |
- if ( p + num_groups * 12 > valid->limit )
|
|
|
43e195 |
+ /* p + num_groups * 12 > valid->limit ? */
|
|
|
43e195 |
+ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
|
|
|
43e195 |
FT_INVALID_TOO_SHORT;
|
|
|
43e195 |
|
|
|
43e195 |
/* check groups, they must be in increasing order */
|
|
|
43e195 |
@@ -1672,7 +1673,12 @@
|
|
|
43e195 |
|
|
|
43e195 |
if ( valid->level >= FT_VALIDATE_TIGHT )
|
|
|
43e195 |
{
|
|
|
43e195 |
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
|
|
|
43e195 |
+ FT_UInt32 d = end - start;
|
|
|
43e195 |
+
|
|
|
43e195 |
+
|
|
|
43e195 |
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
|
|
|
43e195 |
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
|
|
|
43e195 |
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
|
|
|
43e195 |
FT_INVALID_GLYPH_ID;
|
|
|
43e195 |
|
|
|
43e195 |
count = (FT_UInt32)( end - start + 1 );
|
|
|
43e195 |
@@ -1870,7 +1876,9 @@
|
|
|
43e195 |
count = TT_NEXT_ULONG( p );
|
|
|
43e195 |
|
|
|
43e195 |
if ( length > (FT_ULong)( valid->limit - table ) ||
|
|
|
43e195 |
- length < 20 + count * 2 )
|
|
|
43e195 |
+ /* length < 20 + count * 2 ? */
|
|
|
43e195 |
+ length < 20 ||
|
|
|
43e195 |
+ ( length - 20 ) / 2 < count )
|
|
|
43e195 |
FT_INVALID_TOO_SHORT;
|
|
|
43e195 |
|
|
|
43e195 |
/* check glyph indices */
|
|
|
43e195 |
@@ -2057,7 +2065,9 @@
|
|
|
43e195 |
num_groups = TT_NEXT_ULONG( p );
|
|
|
43e195 |
|
|
|
43e195 |
if ( length > (FT_ULong)( valid->limit - table ) ||
|
|
|
43e195 |
- length < 16 + 12 * num_groups )
|
|
|
43e195 |
+ /* length < 16 + 12 * num_groups ? */
|
|
|
43e195 |
+ length < 16 ||
|
|
|
43e195 |
+ ( length - 16 ) / 12 < num_groups )
|
|
|
43e195 |
FT_INVALID_TOO_SHORT;
|
|
|
43e195 |
|
|
|
43e195 |
/* check groups, they must be in increasing order */
|
|
|
43e195 |
@@ -2079,7 +2089,12 @@
|
|
|
43e195 |
|
|
|
43e195 |
if ( valid->level >= FT_VALIDATE_TIGHT )
|
|
|
43e195 |
{
|
|
|
43e195 |
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
|
|
|
43e195 |
+ FT_UInt32 d = end - start;
|
|
|
43e195 |
+
|
|
|
43e195 |
+
|
|
|
43e195 |
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
|
|
|
43e195 |
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
|
|
|
43e195 |
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
|
|
|
43e195 |
FT_INVALID_GLYPH_ID;
|
|
|
43e195 |
}
|
|
|
43e195 |
|
|
|
43e195 |
@@ -2381,7 +2396,9 @@
|
|
|
43e195 |
num_groups = TT_NEXT_ULONG( p );
|
|
|
43e195 |
|
|
|
43e195 |
if ( length > (FT_ULong)( valid->limit - table ) ||
|
|
|
43e195 |
- length < 16 + 12 * num_groups )
|
|
|
43e195 |
+ /* length < 16 + 12 * num_groups ? */
|
|
|
43e195 |
+ length < 16 ||
|
|
|
43e195 |
+ ( length - 16 ) / 12 < num_groups )
|
|
|
43e195 |
FT_INVALID_TOO_SHORT;
|
|
|
43e195 |
|
|
|
43e195 |
/* check groups, they must be in increasing order */
|
|
|
43e195 |
@@ -2762,7 +2779,9 @@
|
|
|
43e195 |
|
|
|
43e195 |
|
|
|
43e195 |
if ( length > (FT_ULong)( valid->limit - table ) ||
|
|
|
43e195 |
- length < 10 + 11 * num_selectors )
|
|
|
43e195 |
+ /* length < 10 + 11 * num_selectors ? */
|
|
|
43e195 |
+ length < 10 ||
|
|
|
43e195 |
+ ( length - 10 ) / 11 < num_selectors )
|
|
|
43e195 |
FT_INVALID_TOO_SHORT;
|
|
|
43e195 |
|
|
|
43e195 |
/* check selectors, they must be in increasing order */
|
|
|
43e195 |
@@ -2798,7 +2817,8 @@
|
|
|
43e195 |
FT_ULong lastBase = 0;
|
|
|
43e195 |
|
|
|
43e195 |
|
|
|
43e195 |
- if ( defp + numRanges * 4 > valid->limit )
|
|
|
43e195 |
+ /* defp + numRanges * 4 > valid->limit ? */
|
|
|
43e195 |
+ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
|
|
|
43e195 |
FT_INVALID_TOO_SHORT;
|
|
|
43e195 |
|
|
|
43e195 |
for ( i = 0; i < numRanges; ++i )
|
|
|
43e195 |
@@ -2825,7 +2845,8 @@
|
|
|
43e195 |
FT_ULong i, lastUni = 0;
|
|
|
43e195 |
|
|
|
43e195 |
|
|
|
43e195 |
- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
|
|
|
43e195 |
+ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
|
|
|
43e195 |
+ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
|
|
|
43e195 |
FT_INVALID_TOO_SHORT;
|
|
|
43e195 |
|
|
|
43e195 |
for ( i = 0; i < numMappings; ++i )
|
|
|
43e195 |
--
|
|
|
43e195 |
cgit v0.9.0.2
|