[cff] Fix another segv in old engine.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872 * src/psaux/cffdecode.c (cff_decoder_parse_charstrings) [CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in dictionaries.
6 years ago · 44db1addd8
parent 1937b55734
commit 44db1addd8
2 changed files with 22 additions and 1 deletions
--- a/14
+++ b/14
@ -1,3 +1,15 @@
+2018-08-14  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix another segv in old engine.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
+	[CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in
+	dictionaries.
+
 2018-08-14  Werner Lemberg  <wl@gnu.org>

 	[cff] Fix missing error handling.
@ -20,7 +32,7 @@

 2018-08-14  Werner Lemberg  <wl@gnu.org>

-	[cff] Fix segv.
+	[cff] Fix segv in old engine.

 	Reported as

--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@ -860,6 +860,15 @@
          case cff_op_flex1:
          case cff_op_callsubr:
          case cff_op_callgsubr:
+            /* depracated opcodes */
+          case cff_op_dotsection:
+            /* invalid Type 1 opcodes */
+          case cff_op_hsbw:
+          case cff_op_closepath:
+          case cff_op_callothersubr:
+          case cff_op_seac:
+          case cff_op_sbw:
+          case cff_op_setcurrentpoint:
            goto MM_Error;

          default: