Another fix for handling invalid format 2 cmaps.

Sigh. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8003 * src/sfnt/ttcmap.c (tt_cmap2_char_next): Adjust condition to avoid an endless loop.
7 years ago · ac97a29653
parent 2157d8fa6f
commit ac97a29653
2 changed files with 14 additions and 1 deletions
--- a/13
+++ b/13
@ -1,3 +1,16 @@
+2018-04-26  Werner Lemberg  <wl@gnu.org>
+
+	Another fix for handling invalid format 2 cmaps.
+
+	Sigh.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8003
+
+	* src/sfnt/ttcmap.c (tt_cmap2_char_next): Adjust condition to avoid
+	an endless loop.
+
 2018-04-24  Ben Wagner  <bungeman@google.com>

 	[base] Avoid undefined behaviour in lcd filtering code (#53727).
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@ -518,7 +518,7 @@
        FT_UInt   pos, idx;


-        if ( char_lo > start + count && charcode <= 0xFF )
+        if ( char_lo >= start + count && charcode <= 0xFF )
        {
          /* this happens only for a malformed cmap */
          charcode = 0x100;