[truetype] Another GX sanity test.

* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Check `tupleCount'. Add tracing message.
9 years ago · 052f6c5649
parent 7ef0d8661a
commit 052f6c5649
2 changed files with 24 additions and 1 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2015-10-13  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Another GX sanity test.
+
+	* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Check
+	`tupleCount'.
+	Add tracing message.
+
 2015-10-13  Werner Lemberg  <wl@gnu.org>

 	[truetype] Fix memory leak for broken GX fonts (#46188).
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@ -1864,7 +1864,19 @@
      goto Fail2;

    tupleCount   = FT_GET_USHORT();
-    offsetToData = glyph_start + FT_GET_USHORT();
+    offsetToData = FT_GET_USHORT();
+
+    /* rough sanity test */
+    if ( offsetToData + tupleCount * 4 > stream->size - stream->pos )
+    {
+      FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
+                  " invalid glyph variation array header\n" ));
+
+      error = FT_THROW( Invalid_Table );
+      goto Fail2;
+    }
+
+    offsetToData += glyph_start;

    if ( tupleCount & GX_TC_TUPLES_SHARE_POINT_NUMBERS )
    {
@ -1901,6 +1913,9 @@
      }
      else if ( ( tupleIndex & GX_TI_TUPLE_INDEX_MASK ) >= blend->tuplecount )
      {
+        FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
+                    " invalid tuple index\n" ));
+
        error = FT_THROW( Invalid_Table );
        goto Fail2;
      }