Fix handling of invalid format 2 cmaps.

The problem was introduced after the last release. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7828 * src/sfnt/ttcmap.c (tt_cmap2_char_next): Avoid endless loop.
7 years ago · 1655e00fce
parent 2a1597826a
commit 1655e00fce
2 changed files with 19 additions and 0 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2018-03-13  Werner Lemberg  <wl@gnu.org>
+
+	Fix handling of invalid format 2 cmaps.
+
+	The problem was introduced after the last release.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7828
+
+	* src/sfnt/ttcmap.c (tt_cmap2_char_next): Avoid endless loop.
+
 2018-04-17  Werner Lemberg  <wl@gnu.org>

 	[truetype] Integer overflow issues.
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@ -518,6 +518,13 @@
        FT_UInt   pos, idx;


+        if ( char_lo > start + count )
+        {
+          /* this happens only for a malformed cmap */
+          charcode = 0x100;
+          continue;
+        }
+
        if ( offset == 0 )
        {
          if ( charcode == 0x100 )