[cff, type1] Sanitize `BlueFuzz' and `BlueShift'.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371 * src/cff/cffload.c (cff_load_private_dict): Sanitize `priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later on. * src/type1/t1load.c (T1_Open_Face): Ditto.
7 years ago · 3b8f16803c
parent 26ad1acbcb
commit 3b8f16803c
4 changed files with 52 additions and 2 deletions
--- a/14
+++ b/14
@ -1,3 +1,17 @@
+2018-04-04  Werner Lemberg  <wl@gnu.org>
+
+	[cff, type1] Sanitize `BlueFuzz' and `BlueShift'.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7371
+
+	* src/cff/cffload.c (cff_load_private_dict): Sanitize
+	`priv->blue_shift' and `priv->blue_fuzz' to avoid overflows later
+	on.
+
+	* src/type1/t1load.c (T1_Open_Face): Ditto.
+
 2018-04-04  Ben Wagner  <bungeman@google.com>

 	* src/truetype/ttobjs.c (trick_names): Add 3 tricky fonts (#53554),
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@ -1933,6 +1933,24 @@
    else if ( priv->initial_random_seed == 0 )
      priv->initial_random_seed = 987654321;

+    /* some sanitizing to avoid overflows later on; */
+    /* the upper limits are ad-hoc values           */
+    if ( priv->blue_shift > 1000 || priv->blue_shift < 0 )
+    {
+      FT_TRACE2(( "cff_load_private_dict:"
+                  " setting unlikely BlueShift value %d to default (7)\n",
+                  priv->blue_shift ));
+      priv->blue_shift = 7;
+    }
+
+    if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 )
+    {
+      FT_TRACE2(( "cff_load_private_dict:"
+                  " setting unlikely BlueFuzz value %d to default (1)\n",
+                  priv->blue_fuzz ));
+      priv->blue_fuzz = 1;
+    }
+
  Exit:
    /* clean up */
    cff_blend_clear( subfont ); /* clear blend stack */
--- a/src/pshinter/pshglob.c
+++ b/src/pshinter/pshglob.c
@ -227,8 +227,8 @@
  }


-  /* Re-read blue zones from the original fonts and store them into out */
-  /* private structure.  This function re-orders, sanitizes and         */
+  /* Re-read blue zones from the original fonts and store them into our */
+  /* private structure.  This function re-orders, sanitizes, and        */
  /* fuzz-expands the zones as well.                                    */
  static void
  psh_blues_set_zones( PSH_Blues  target,
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@ -2493,6 +2493,24 @@
      type1->encoding.num_chars  = loader.num_chars;
    }

+    /* some sanitizing to avoid overflows later on; */
+    /* the upper limits are ad-hoc values           */
+    if ( priv->blue_shift > 1000 || priv->blue_shift < 0 )
+    {
+      FT_TRACE2(( "T1_Open_Face:"
+                  " setting unlikely BlueShift value %d to default (7)\n",
+                  priv->blue_shift ));
+      priv->blue_shift = 7;
+    }
+
+    if ( priv->blue_fuzz > 1000 || priv->blue_fuzz < 0 )
+    {
+      FT_TRACE2(( "T1_Open_Face:"
+                  " setting unlikely BlueFuzz value %d to default (1)\n",
+                  priv->blue_fuzz ));
+      priv->blue_fuzz = 1;
+    }
+
  Exit:
    t1_done_loader( &loader );
    return error;