[cid] Various loading fixes.

* src/cid/cidload.c (cid_load_keyword) <default>, (parse_font_matrix, parse_expansion_factor): Correctly check number of dictionaries. (cid_read_subrs): Protect against invalid values of `num_subrs'. Assure that the elements of the `offsets' array are ascending.
13 years ago · 14a16e3430
parent b2874fd5be
commit 14a16e3430
2 changed files with 32 additions and 4 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2011-11-08  Braden Thomas  <bthomas@apple.com>
+
+	[cid] Various loading fixes.
+
+	* src/cid/cidload.c (cid_load_keyword) <default>,
+	(parse_font_matrix, parse_expansion_factor): Correctly check number
+	of dictionaries.
+	(cid_read_subrs): Protect against invalid values of `num_subrs'.
+	Assure that the elements of the `offsets' array are ascending.
+
 2011-11-05  Werner Lemberg  <wl@gnu.org>

 	* README: We use copyright ranges also.
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@ -4,7 +4,7 @@
 /*                                                                         */
 /*    CID-keyed Type1 font loader (body).                                  */
 /*                                                                         */
-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by             */
+/*  Copyright 1996-2006, 2009, 2011 by                                     */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@ -110,7 +110,7 @@
        CID_FaceDict  dict;


-        if ( parser->num_dict < 0 )
+        if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
        {
          FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",
                     keyword->ident ));
@ -158,7 +158,7 @@
    FT_Fixed      temp_scale;


-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
    {
      dict   = face->cid.font_dicts + parser->num_dict;
      matrix = &dict->font_matrix;
@ -249,7 +249,7 @@
    CID_FaceDict  dict;


-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
    {
      dict = face->cid.font_dicts + parser->num_dict;

@ -413,12 +413,25 @@
      FT_Byte*      p;


+      /* Check for possible overflow. */
+      if ( num_subrs == FT_UINT_MAX )
+      {
+        error = CID_Err_Syntax_Error;
+        goto Fail;
+      }
+
      /* reallocate offsets array if needed */
      if ( num_subrs + 1 > max_offsets )
      {
        FT_UInt  new_max = FT_PAD_CEIL( num_subrs + 1, 4 );


+        if ( new_max <= max_offsets )
+        {
+          error = CID_Err_Syntax_Error;
+          goto Fail;
+        }
+
        if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
          goto Fail;

@ -436,6 +449,11 @@

      FT_FRAME_EXIT();

+      /* offsets must be ordered */
+      for ( count = 1; count <= num_subrs; count++ )
+        if ( offsets[count - 1] > offsets[count] )
+          goto Fail;
+
      /* now, compute the size of subrs charstrings, */
      /* allocate, and read them                     */
      data_len = offsets[num_subrs] - offsets[0];