ref: fa147af4a5255bf9017c9b004f7abd1d5e72f497
parent: 6e49dff0052a73faaea13dd8bdf6f0724539db07
author: Werner Lemberg <wl@gnu.org>
date: Sat Feb 22 13:30:46 EST 2020
[woff2] Fix font table access. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778 * src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of `head' table, which might not have been processed yet.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2020-02-22 Werner Lemberg <wl@gnu.org>
+
+ [woff2] Fix font table access.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20778
+
+ * src/sfnt/sfwoff2.c (get_x_mins): Explicitly check for presence of
+ `head' table, which might not have been processed yet.
+
2020-02-21 Werner Lemberg <wl@gnu.org>
[psaux] Make `t1_decoder_parse_metrics' handle `op_div' (#57519).
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1268,8 +1268,11 @@
FT_Error error = FT_Err_Ok;
FT_ULong offset_size;
+ /* At this point of time those tables might not have been read yet. */
const WOFF2_Table maxp_table = find_table( tables, num_tables,
TTAG_maxp );
+ const WOFF2_Table head_table = find_table( tables, num_tables,
+ TTAG_head );
if ( !maxp_table )
@@ -1278,6 +1281,12 @@
return FT_THROW( Invalid_Table );
}
+ if ( !head_table )
+ {
+ FT_ERROR(( "`head' table is missing.\n" ));
+ return FT_THROW( Invalid_Table );
+ }
+
/* Read `numGlyphs' field from `maxp' table. */
if ( FT_STREAM_SEEK( maxp_table->src_offset ) && FT_STREAM_SKIP( 8 ) )
return error;
@@ -1288,8 +1297,8 @@
info->num_glyphs = num_glyphs;
/* Read `indexToLocFormat' field from `head' table. */
- if ( FT_STREAM_SEEK( info->head_table->src_offset ) &&
- FT_STREAM_SKIP( 50 ) )
+ if ( FT_STREAM_SEEK( head_table->src_offset ) &&
+ FT_STREAM_SKIP( 50 ) )
return error;
if ( FT_READ_USHORT( index_format ) )
@@ -2145,7 +2154,8 @@
#ifdef FT_DEBUG_LEVEL_TRACE
if ( sfnt_size != woff2.totalSfntSize )
- FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n",
+ FT_TRACE4(( "adjusting estimate of uncompressed font size"
+ " to %lu bytes\n",
sfnt_size ));
#endif
}