shithub: freetype+ttf2subf

Download patch

ref: 9c54d1246abc7172f1e0ca88b786c3b6e32d000b
parent: 922812281cdec91174e627760e1db0d6145e9e91
author: Werner Lemberg <[email protected]>
date: Tue Oct 11 04:57:55 EDT 2016 

[psaux] Fix handling of invalid flex subrs.

Problem reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52

* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
<op_callothersubr>: Set `flex_state' after error checking.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2016-10-11  Werner Lemberg  <[email protected]>
 
+	[psaux] Fix handling of invalid flex subrs.
+
+	Problem reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52
+
+	* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+	<op_callothersubr>: Set `flex_state' after error checking.
+
+2016-10-11  Werner Lemberg  <[email protected]>
+
 	* src/truetype/ttgxvar.c (tt_done_blend): Fix deallocation.
 
 2016-10-08  Werner Lemberg  <[email protected]>
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -734,7 +734,7 @@
           if ( arg_cnt != 3 )
             goto Unexpected_OtherSubr;
 
-          if ( decoder->flex_state       == 0 ||
+          if ( !decoder->flex_state           ||
                decoder->num_flex_vectors != 7 )
           {
             FT_ERROR(( "t1_decoder_parse_charstrings:"
@@ -752,13 +752,14 @@
           if ( arg_cnt != 0 )
             goto Unexpected_OtherSubr;
 
-          decoder->flex_state        = 1;
-          decoder->num_flex_vectors  = 0;
           if ( ( error = t1_builder_start_point( builder, x, y ) )
-                 != FT_Err_Ok                                   ||
+                 != FT_Err_Ok                                      ||
                ( error = t1_builder_check_points( builder, 6 ) )
-                 != FT_Err_Ok                                   )
+                 != FT_Err_Ok                                      )
             goto Fail;
+
+          decoder->flex_state        = 1;
+          decoder->num_flex_vectors  = 0;
           break;
 
         case 2:                     /* add flex vectors */
@@ -769,7 +770,7 @@
             if ( arg_cnt != 0 )
               goto Unexpected_OtherSubr;
 
-            if ( decoder->flex_state == 0 )
+            if ( !decoder->flex_state )
             {
               FT_ERROR(( "t1_decoder_parse_charstrings:"
                          " missing flex start\n" ));
@@ -1222,9 +1223,9 @@
           FT_TRACE4(( " hvcurveto" ));
 
           if ( ( error = t1_builder_start_point( builder, x, y ) )
-                 != FT_Err_Ok                                   ||
+                 != FT_Err_Ok                                      ||
                ( error = t1_builder_check_points( builder, 3 ) )
-                 != FT_Err_Ok                                   )
+                 != FT_Err_Ok                                      )
             goto Fail;
 
           x += top[0];
@@ -1269,9 +1270,9 @@
           FT_TRACE4(( " rrcurveto" ));
 
           if ( ( error = t1_builder_start_point( builder, x, y ) )
-                 != FT_Err_Ok                                   ||
+                 != FT_Err_Ok                                      ||
                ( error = t1_builder_check_points( builder, 3 ) )
-                 != FT_Err_Ok                                   )
+                 != FT_Err_Ok                                      )
             goto Fail;
 
           x += top[0];
@@ -1291,9 +1292,9 @@
           FT_TRACE4(( " vhcurveto" ));
 
           if ( ( error = t1_builder_start_point( builder, x, y ) )
-                 != FT_Err_Ok                                   ||
+                 != FT_Err_Ok                                      ||
                ( error = t1_builder_check_points( builder, 3 ) )
-                 != FT_Err_Ok                                   )
+                 != FT_Err_Ok                                      )
             goto Fail;
 
           y += top[0];