diff options
| author | Ben Wanger <bungeman@gmail.com> | 2024-05-02 13:16:46 -0400 |
|---|---|---|
| committer | Ben Wanger <bungeman@gmail.com> | 2024-05-02 15:00:27 -0400 |
| commit | 13d1180f4542d19557e146cc0124e51891733b0c (patch) | |
| tree | b2ea7ed4f09249309411c09e5b8f571ab394be17 | |
| parent | 4d504684789dc6f8f452aaa4df04f96f31082345 (diff) | |
| download | freetype-13d1180f4542d19557e146cc0124e51891733b0c.tar.gz | |
[woff2] Disallow zero table font entries
The existing code already disallows zero table woff2 overall, but still
allows for individual CollectionFontEntry to create font instances with
zero tables. Such fonts are not useful so error early.
This also fixes an MSAN discovered issue where if a CollectionFontEntry
numTables is zero then the sfnt_header was not fully initialized.
* src/sfnt/sfwoff2.c (woff2_open_font): error on zero tables, always
initalize sfnt_header
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68384
| -rw-r--r-- | src/sfnt/sfwoff2.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c index 3df4d2664..0e272fc99 100644 --- a/src/sfnt/sfwoff2.c +++ b/src/sfnt/sfwoff2.c @@ -1791,7 +1791,6 @@ FT_Byte* sfnt = NULL; FT_Stream sfnt_stream = NULL; - FT_Byte* sfnt_header; FT_ULong sfnt_size; FT_Byte* uncompressed_buf = NULL; @@ -2135,6 +2134,13 @@ WOFF2_TtcFont ttc_font = woff2.ttc_fonts + face_index; + if ( ttc_font->num_tables == 0 ) + { + FT_ERROR(( "woff2_open_font: invalid WOFF2 CollectionFontEntry\n" )); + error = FT_THROW( Invalid_Table ); + goto Exit; + } + /* Create a temporary array. */ if ( FT_QNEW_ARRAY( temp_indices, ttc_font->num_tables ) ) @@ -2190,13 +2196,9 @@ FT_NEW( sfnt_stream ) ) goto Exit; - sfnt_header = sfnt; - - WRITE_ULONG( sfnt_header, woff2.flavor ); - - if ( woff2.num_tables ) { - FT_UInt searchRange, entrySelector, rangeShift, x; + FT_UInt searchRange, entrySelector, rangeShift, x; + FT_Byte* sfnt_header = sfnt; x = woff2.num_tables; @@ -2211,6 +2213,7 @@ searchRange = ( 1 << entrySelector ) * 16; rangeShift = ( woff2.num_tables * 16 ) - searchRange; + WRITE_ULONG( sfnt_header, woff2.flavor ); WRITE_USHORT( sfnt_header, woff2.num_tables ); WRITE_USHORT( sfnt_header, searchRange ); WRITE_USHORT( sfnt_header, entrySelector ); |