[sfnt] Fix broken pointer overflow checks.

Many compilers such as gcc and clang optimize away pointer overflow checks `p + n < p', because pointer overflow is undefined behavior. Use a safe form `n > p_limit - p' instead. Also avoid possible integer overflow issues, for example, using `num_glyphs > ( p_limit - p ) / 2' rather than `num_glyphs * 2' given a large `num_glyphs'. * src/sfnt/ttsbit0.c (tt_sbit_decoder_load_image): Implement it.
12 years ago · ba931be2af
parent 817caa9f4f
commit ba931be2af
2 changed files with 22 additions and 14 deletions
--- a/16
+++ b/16
@ -1,6 +1,20 @@
+2013-01-25  Xi Wang  <xi.wang@gmail.com>
+
+	[sfnt] Fix broken pointer overflow checks.
+
+	Many compilers such as gcc and clang optimize away pointer overflow
+	checks `p + n < p', because pointer overflow is undefined behavior. 
+	Use a safe form `n > p_limit - p' instead.
+
+	Also avoid possible integer overflow issues, for example, using
+	`num_glyphs > ( p_limit - p ) / 2' rather than `num_glyphs * 2'
+	given a large `num_glyphs'.
+
+	* src/sfnt/ttsbit0.c (tt_sbit_decoder_load_image): Implement it.
+
 2013-01-25  Werner Lemberg  <wl@gnu.org>

-	Fix `make multi'
+	[base] Fix `make multi'.

 	* src/base/ftoutln.c, src/base/fttrigon.c: Include
 	FT_INTERNAL_CALC_H.
--- a/src/sfnt/ttsbit0.c
+++ b/src/sfnt/ttsbit0.c
@ -823,11 +823,11 @@
    image_offset = FT_NEXT_ULONG( p );

    /* overflow check */
-    if ( decoder->eblc_base + decoder->strike_index_array + image_offset <
-           decoder->eblc_base )
+    p = decoder->eblc_base + decoder->strike_index_array;
+    if ( image_offset > (FT_ULong)( p_limit - p ) )
      goto Failure;

-    p = decoder->eblc_base + decoder->strike_index_array + image_offset;
+    p += image_offset;
    if ( p + 8 > p_limit )
      goto NoBitmap;

@ -894,11 +894,8 @@

        num_glyphs = FT_NEXT_ULONG( p );

-        /* overflow check */
-        if ( p + ( num_glyphs + 1 ) * 4 < p )
-          goto Failure;
-
-        if ( p + ( num_glyphs + 1 ) * 4 > p_limit )
+        /* overflow check for p + ( num_glyphs + 1 ) * 4 */
+        if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
          goto NoBitmap;

        for ( mm = 0; mm < num_glyphs; mm++ )
@ -936,11 +933,8 @@

        num_glyphs = FT_NEXT_ULONG( p );

-        /* overflow check */
-        if ( p + 2 * num_glyphs < p )
-          goto Failure;
-
-        if ( p + 2 * num_glyphs > p_limit )
+        /* overflow check for p + 2 * num_glyphs */
+        if ( num_glyphs > (FT_ULong)( ( p_limit - p ) >> 1 ) )
          goto NoBitmap;

        for ( mm = 0; mm < num_glyphs; mm++ )