3
From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001
4
From: Werner Lemberg <wl@gnu.org>
5
Date: Wed, 12 Nov 2014 19:51:20 +0000
6
Subject: [sfnt] Fix Savannah bug #43588.
8
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
9
tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
10
against overflow in additions and multiplications.
12
Index: freetype-2.5.2/src/sfnt/ttcmap.c
13
===================================================================
14
--- freetype-2.5.2.orig/src/sfnt/ttcmap.c 2015-02-24 08:26:48.072062380 -0500
15
+++ freetype-2.5.2/src/sfnt/ttcmap.c 2015-02-24 08:26:48.068062354 -0500
17
p = is32 + 8192; /* skip `is32' array */
18
num_groups = TT_NEXT_ULONG( p );
20
- if ( p + num_groups * 12 > valid->limit )
21
+ /* p + num_groups * 12 > valid->limit ? */
22
+ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
25
/* check groups, they must be in increasing order */
26
@@ -1674,7 +1675,12 @@
28
if ( valid->level >= FT_VALIDATE_TIGHT )
30
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
31
+ FT_UInt32 d = end - start;
34
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
35
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
36
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
39
count = (FT_UInt32)( end - start + 1 );
41
count = TT_NEXT_ULONG( p );
43
if ( length > (FT_ULong)( valid->limit - table ) ||
44
- length < 20 + count * 2 )
45
+ /* length < 20 + count * 2 ? */
47
+ ( length - 20 ) / 2 < count )
50
/* check glyph indices */
52
num_groups = TT_NEXT_ULONG( p );
54
if ( length > (FT_ULong)( valid->limit - table ) ||
55
- length < 16 + 12 * num_groups )
56
+ /* length < 16 + 12 * num_groups ? */
58
+ ( length - 16 ) / 12 < num_groups )
61
/* check groups, they must be in increasing order */
62
@@ -2081,7 +2091,12 @@
64
if ( valid->level >= FT_VALIDATE_TIGHT )
66
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
67
+ FT_UInt32 d = end - start;
70
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
71
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
72
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
77
num_groups = TT_NEXT_ULONG( p );
79
if ( length > (FT_ULong)( valid->limit - table ) ||
80
- length < 16 + 12 * num_groups )
81
+ /* length < 16 + 12 * num_groups ? */
83
+ ( length - 16 ) / 12 < num_groups )
86
/* check groups, they must be in increasing order */
90
if ( length > (FT_ULong)( valid->limit - table ) ||
91
- length < 10 + 11 * num_selectors )
92
+ /* length < 10 + 11 * num_selectors ? */
94
+ ( length - 10 ) / 11 < num_selectors )
97
/* check selectors, they must be in increasing order */
99
FT_ULong lastBase = 0;
102
- if ( defp + numRanges * 4 > valid->limit )
103
+ /* defp + numRanges * 4 > valid->limit ? */
104
+ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
105
FT_INVALID_TOO_SHORT;
107
for ( i = 0; i < numRanges; ++i )
108
@@ -2827,7 +2847,8 @@
109
FT_ULong i, lastUni = 0;
112
- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
113
+ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
114
+ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
115
FT_INVALID_TOO_SHORT;
117
for ( i = 0; i < numMappings; ++i )