ref: 7eeaf986b5ebb43cbbc8368c6e528ac311d87805
parent: 83702957553fd130f62496cfbc31c2a73b22e852
author: Werner Lemberg <[email protected]>
date: Fri Oct 14 04:58:17 EDT 2016
[truetype] Fix handling of `cvar' table data. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53 * src/truetype/ttgxvar.c (tt_face_vary_cvt): Ignore invalid CVT indices.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2016-10-14 Werner Lemberg <[email protected]>
+
+ [truetype] Fix handling of `cvar' table data.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53
+
+ * src/truetype/ttgxvar.c (tt_face_vary_cvt): Ignore invalid CVT
+ indices.
+
2016-10-11 Werner Lemberg <[email protected]>
[psaux] Fix handling of invalid flex subrs.
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1552,10 +1552,15 @@
for ( j = 0; j < point_count; j++ )
{- int pindex = localpoints[j];
- FT_Long orig_cvt = face->cvt[pindex];
+ int pindex;
+ FT_Long orig_cvt;
+ pindex = localpoints[j];
+ if ( (FT_ULong)pindex >= face->cvt_size )
+ continue;
+
+ orig_cvt = face->cvt[pindex];
face->cvt[pindex] = (FT_Short)( orig_cvt +
FT_MulFix( deltas[j], apply ) );