From e1f364e5097008c845f1963f938b6e8adab5e4e6 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Thu, 25 Feb 2021 20:00:07 +0100 Subject: [PATCH] [woff2] Fix memory leak. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28148 * src/sfnt/sfwoff2.c (woff2_open_font): Reject fonts that have multiple tables with the same tag. While not explicitly forbidden in the OpenType specification, it is implicitly forbidden by describing a binary search algorithm for tables that only works reliably if table tags are unique. --- ChangeLog | 14 ++++++++++++++ src/sfnt/sfwoff2.c | 19 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/ChangeLog b/ChangeLog index 59919e796..7945b1eb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2021-02-25 Werner Lemberg + + [woff2] Fix memory leak. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28148 + + * src/sfnt/sfwoff2.c (woff2_open_font): Reject fonts that have + multiple tables with the same tag. While not explicitly forbidden + in the OpenType specification, it is implicitly forbidden by + describing a binary search algorithm for tables that only works + reliably if table tags are unique. + 2021-02-22 Werner Lemberg * CMakeLists.txt: Update location of `LICENSE.TXT`. diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c index 2fe7f4728..edf173dc3 100644 --- a/src/sfnt/sfwoff2.c +++ b/src/sfnt/sfwoff2.c @@ -2208,6 +2208,25 @@ sizeof ( WOFF2_Table ), compare_tags ); + /* reject fonts that have multiple tables with the same tag */ + for ( nn = 1; nn < woff2.num_tables; nn++ ) + { + FT_ULong tag = indices[nn]->Tag; + + + if ( tag == indices[nn - 1]->Tag ) + { + FT_ERROR(( "woff2_open_font:" + " multiple tables with tag `%c%c%c%c'.\n", + (FT_Char)( tag >> 24 ), + (FT_Char)( tag >> 16 ), + (FT_Char)( tag >> 8 ), + (FT_Char)( tag ) )); + error = FT_THROW( Invalid_Table ); + goto Exit; + } + } + if ( woff2.uncompressed_size < 1 ) { error = FT_THROW( Invalid_Table );