Another bunch of UBSan warnings on adding offsets to nullptr.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19427 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19433 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19441 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19451 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19452 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19457 * src/autofit/aflatin.c (af_latin_hints_compute_segments, af_latin_hints_compute_edges): Use `FT_OFFSET'. * src/base/ftstream.c (FT_Stream_EnterFrame): Use `FT_OFFSET'. * src/psaux/cffdecode.c (cff_decoder_parse_charstrings): Exit early if there is no charstring. * src/psaux/psobjs.c (t1_decrypt): Use `FT_OFFSET'. * src/smooth/ftsmooth.c (ft_smooth_render_generic): Exit early for zero bitmap dimensions.
5 years ago · 2c9a2d58ca
parent 11d4ce23ac
commit 2c9a2d58ca
6 changed files with 36 additions and 4 deletions
--- a/26
+++ b/26
@ -1,3 +1,29 @@
+2019-12-13  Werner Lemberg  <wl@gnu.org>
+
+	Another bunch of UBSan warnings on adding offsets to nullptr.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19427
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19433
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19441
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19451
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19452
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19457
+
+	* src/autofit/aflatin.c (af_latin_hints_compute_segments,
+	af_latin_hints_compute_edges): Use `FT_OFFSET'.
+
+	* src/base/ftstream.c (FT_Stream_EnterFrame): Use `FT_OFFSET'.
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings): Exit early
+	if there is no charstring.
+
+	* src/psaux/psobjs.c (t1_decrypt): Use `FT_OFFSET'.
+
+	* src/smooth/ftsmooth.c (ft_smooth_render_generic): Exit early for
+	zero bitmap dimensions.
+
 2019-12-09  Dominik Röttsches  <drott@chromium.org>

 	Fix more UBSan warnings on adding offset to nullptr (#57384).
--- a/src/autofit/aflatin.c
+++ b/src/autofit/aflatin.c
@ -1910,7 +1910,7 @@
    /* sense -- this is used to better detect and ignore serifs   */
    {
      AF_Segment  segments     = axis->segments;
-      AF_Segment  segments_end = segments + axis->num_segments;
+      AF_Segment  segments_end = FT_OFFSET( segments, axis->num_segments );


      for ( segment = segments; segment < segments_end; segment++ )
@ -2314,7 +2314,7 @@
     */
    {
      AF_Edge  edges      = axis->edges;
-      AF_Edge  edge_limit = edges + axis->num_edges;
+      AF_Edge  edge_limit = FT_OFFSET( edges, axis->num_edges );
      AF_Edge  edge;


--- a/src/base/ftstream.c
+++ b/src/base/ftstream.c
@ -286,7 +286,7 @@
      }

      stream->cursor = stream->base;
-      stream->limit  = stream->cursor + count;
+      stream->limit  = FT_OFFSET( stream->cursor, count );
      stream->pos   += read_bytes;
    }
    else
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@ -530,6 +530,9 @@

    builder->path_begun = 0;

+    if ( !charstring_base )
+      return FT_Err_Ok;
+
    zone->base           = charstring_base;
    limit = zone->limit  = charstring_base + charstring_len;
    ip    = zone->cursor = zone->base;
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@ -2577,7 +2577,7 @@
              FT_UShort  seed )
  {
    PS_Conv_EexecDecode( &buffer,
-                         buffer + length,
+                         FT_OFFSET( buffer, length ),
                         buffer,
                         length,
                         &seed );
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@ -155,6 +155,9 @@
      goto Exit;
    }

+    if ( !bitmap->rows || !bitmap->pitch )
+      goto Exit;
+
    /* allocate new one */
    if ( FT_ALLOC_MULT( bitmap->buffer, bitmap->rows, bitmap->pitch ) )
      goto Exit;