[truetype] Fix handling of `cvar' table data.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53 * src/truetype/ttgxvar.c (tt_face_vary_cvt): Ignore invalid CVT indices.
8 years ago · 7eeaf986b5
parent 8370295755
commit 7eeaf986b5
2 changed files with 18 additions and 2 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2016-10-14  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix handling of `cvar' table data.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53
+
+	* src/truetype/ttgxvar.c (tt_face_vary_cvt): Ignore invalid CVT
+	indices.
+
 2016-10-11  Werner Lemberg  <wl@gnu.org>

 	[psaux] Fix handling of invalid flex subrs.
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@ -1552,10 +1552,15 @@

        for ( j = 0; j < point_count; j++ )
        {
-          int      pindex   = localpoints[j];
-          FT_Long  orig_cvt = face->cvt[pindex];
+          int      pindex;
+          FT_Long  orig_cvt;


+          pindex = localpoints[j];
+          if ( (FT_ULong)pindex >= face->cvt_size )
+            continue;
+
+          orig_cvt          = face->cvt[pindex];
          face->cvt[pindex] = (FT_Short)( orig_cvt +
                                          FT_MulFix( deltas[j], apply ) );