bug 553272 - (freetype) validate counts in fvar header. r=blassey
authorJonathan Kew <jfkthame@gmail.com>
Tue, 06 Apr 2010 21:24:33 +0100
changeset 40506 64ebf70ed4a201c96db2e65b6fda6ccd31b6e91d
parent 40505 4365eabf7fb0737b3055ae5f5e9da8a0cd0032c2
child 40507 32471a45b39b2d81cc608ec9aea39f45b51fbef9
push id12638
push userjkew@mozilla.com
push dateTue, 06 Apr 2010 20:26:38 +0000
treeherdermozilla-central@64ebf70ed4a2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersblassey
bugs553272
milestone1.9.3a4pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
bug 553272 - (freetype) validate counts in fvar header. r=blassey
modules/freetype2/README.moz-patches
modules/freetype2/src/truetype/ttgxvar.c
new file mode 100644
--- /dev/null
+++ b/modules/freetype2/README.moz-patches
@@ -0,0 +1,8 @@
+This directory contains freetype2 v2.3.12 downloaded from
+http://savannah.nongnu.org/download/freetype/
+
+Makefile.in is added for the mozilla build.
+
+Additional patch applied locally:
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=25e742c573e3b88e5a4e342733f1836466628ff8
+(Add overflow check to `fvar' table; see bug 553273)
--- a/modules/freetype2/src/truetype/ttgxvar.c
+++ b/modules/freetype2/src/truetype/ttgxvar.c
@@ -677,28 +677,32 @@
       fvar_start = FT_STREAM_POS( );
 
       if ( FT_STREAM_READ_FIELDS( fvar_fields, &fvar_head ) )
         goto Exit;
 
       if ( fvar_head.version != (FT_Long)0x00010000L                      ||
            fvar_head.countSizePairs != 2                                  ||
            fvar_head.axisSize != 20                                       ||
+           /* axisCount limit implied by 16-bit instanceSize */
+           fvar_head.axisCount > 0x3ffe                                   ||
            fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount          ||
+           /* instanceCount limit implied by limited range of name IDs */
+           fvar_head.instanceCount > 0x7eff                               ||
            fvar_head.offsetToData + fvar_head.axisCount * 20U +
              fvar_head.instanceCount * fvar_head.instanceSize > table_len )
       {
         error = TT_Err_Invalid_Table;
         goto Exit;
       }
 
       if ( FT_NEW( face->blend ) )
         goto Exit;
 
-      /* XXX: TODO - check for overflows */
+      /* cannot overflow 32-bit arithmetic because of limits above */
       face->blend->mmvar_len =
         sizeof ( FT_MM_Var ) +
         fvar_head.axisCount * sizeof ( FT_Var_Axis ) +
         fvar_head.instanceCount * sizeof ( FT_Var_Named_Style ) +
         fvar_head.instanceCount * fvar_head.axisCount * sizeof ( FT_Fixed ) +
         5 * fvar_head.axisCount;
 
       if ( FT_ALLOC( mmvar, face->blend->mmvar_len ) )