bug 553272 - (freetype) validate counts in fvar header. r=blassey
authorJonathan Kew <jfkthame@gmail.com>
Tue, 06 Apr 2010 21:24:33 +0100
changeset 40506 64ebf70ed4a201c96db2e65b6fda6ccd31b6e91d
parent 40505 4365eabf7fb0737b3055ae5f5e9da8a0cd0032c2
child 40507 32471a45b39b2d81cc608ec9aea39f45b51fbef9
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersblassey
bugs553272
milestone1.9.3a4pre
bug 553272 - (freetype) validate counts in fvar header. r=blassey
modules/freetype2/README.moz-patches
modules/freetype2/src/truetype/ttgxvar.c
new file mode 100644
--- /dev/null
+++ b/modules/freetype2/README.moz-patches
@@ -0,0 +1,8 @@
+This directory contains freetype2 v2.3.12 downloaded from
+http://savannah.nongnu.org/download/freetype/
+
+Makefile.in is added for the mozilla build.
+
+Additional patch applied locally:
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=25e742c573e3b88e5a4e342733f1836466628ff8
+(Add overflow check to `fvar' table; see bug 553273)
--- a/modules/freetype2/src/truetype/ttgxvar.c
+++ b/modules/freetype2/src/truetype/ttgxvar.c
@@ -677,28 +677,32 @@
       fvar_start = FT_STREAM_POS( );
 
       if ( FT_STREAM_READ_FIELDS( fvar_fields, &fvar_head ) )
         goto Exit;
 
       if ( fvar_head.version != (FT_Long)0x00010000L                      ||
            fvar_head.countSizePairs != 2                                  ||
            fvar_head.axisSize != 20                                       ||
+           /* axisCount limit implied by 16-bit instanceSize */
+           fvar_head.axisCount > 0x3ffe                                   ||
            fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount          ||
+           /* instanceCount limit implied by limited range of name IDs */
+           fvar_head.instanceCount > 0x7eff                               ||
            fvar_head.offsetToData + fvar_head.axisCount * 20U +
              fvar_head.instanceCount * fvar_head.instanceSize > table_len )
       {
         error = TT_Err_Invalid_Table;
         goto Exit;
       }
 
       if ( FT_NEW( face->blend ) )
         goto Exit;
 
-      /* XXX: TODO - check for overflows */
+      /* cannot overflow 32-bit arithmetic because of limits above */
       face->blend->mmvar_len =
         sizeof ( FT_MM_Var ) +
         fvar_head.axisCount * sizeof ( FT_Var_Axis ) +
         fvar_head.instanceCount * sizeof ( FT_Var_Named_Style ) +
         fvar_head.instanceCount * fvar_head.axisCount * sizeof ( FT_Fixed ) +
         5 * fvar_head.axisCount;
 
       if ( FT_ALLOC( mmvar, face->blend->mmvar_len ) )