ref: db0f2c448eee26cc3f432276144fac8c3f110f34
parent: a34afe6786cfd9fb129d7d0be1e8fa92268a2c46
author: Werner Lemberg <wl@gnu.org>
date: Sat Jun 12 06:05:07 EDT 2021
[psaux] Fix another assertion. * src/psaux/psintrp.c (cf2_interpT2CharString) <cf2_escCALLOTHERSUBR>: Convert assertion into error, since the problem can happen with invalid user input. Test case is file fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read in the `freetype2-testing` repository.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,9 +1,29 @@
2021-06-12 Werner Lemberg <wl@gnu.org>
+ [psaux] Fix another assertion.
+
+ * src/psaux/psintrp.c (cf2_interpT2CharString)
+ <cf2_escCALLOTHERSUBR>: Convert assertion into error, since the
+ problem can happen with invalid user input.
+
+ Test case is file
+
+ fuzzing/corpora/legacy/oss-fuzz/5754332360212480-unknown-read
+
+ in the `freetype2-testing` repository.
+
+2021-06-12 Werner Lemberg <wl@gnu.org>
+
[psaux] Fix assertions.
* src/psaux/pshints.c (cf2_hintmap_adjustHints): Check for overflow
before emitting an assertion error.
+
+ Test case is file
+
+ fuzzing/corpora/legacy/oss-fuzz/4594115297673216-integer-overflow
+
+ in the `freetype2-testing` repository.
2021-06-09 Alexei Podtelezhnikov <apodtele@gmail.com>
--- a/src/psaux/psintrp.c
+++ b/src/psaux/psintrp.c
@@ -1670,7 +1670,13 @@
*/
count = cf2_stack_count( opStack );
- FT_ASSERT( (CF2_UInt)arg_cnt <= count );
+ if ( (CF2_UInt)arg_cnt > count )
+ {+ FT_ERROR(( "cf2_interpT2CharString (Type 1 mode):"
+ " stack underflow\n" ));
+ lastError = FT_THROW( Invalid_Glyph_Format );
+ goto exit;
+ }
opIdx += count - (CF2_UInt)arg_cnt;