bug 553272 - (freetype) validate counts in fvar header. r=blassey

2010-04-06 21:24:33 +01:00 · 2010-04-06 21:24:33 +01:00 · 90253b13ad
--- a/modules/freetype2/README.moz-patches
+++ b/modules/freetype2/README.moz-patches
@ -0,0 +1,8 @@
+This directory contains freetype2 v2.3.12 downloaded from
+http://savannah.nongnu.org/download/freetype/
+
+Makefile.in is added for the mozilla build.
+
+Additional patch applied locally:
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=25e742c573e3b88e5a4e342733f1836466628ff8
+(Add overflow check to `fvar' table; see bug 553273)
--- a/modules/freetype2/src/truetype/ttgxvar.c
+++ b/modules/freetype2/src/truetype/ttgxvar.c
@ -682,7 +682,11 @@
      if ( fvar_head.version != (FT_Long)0x00010000L                      ||
           fvar_head.countSizePairs != 2                                  ||
           fvar_head.axisSize != 20                                       ||
+           /* axisCount limit implied by 16-bit instanceSize */
+           fvar_head.axisCount > 0x3ffe                                   ||
           fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount          ||
+           /* instanceCount limit implied by limited range of name IDs */
+           fvar_head.instanceCount > 0x7eff                               ||
           fvar_head.offsetToData + fvar_head.axisCount * 20U +
             fvar_head.instanceCount * fvar_head.instanceSize > table_len )
      {
@ -693,7 +697,7 @@
      if ( FT_NEW( face->blend ) )
        goto Exit;

-      /* XXX: TODO - check for overflows */
+      /* cannot overflow 32-bit arithmetic because of limits above */
      face->blend->mmvar_len =
        sizeof ( FT_MM_Var ) +
        fvar_head.axisCount * sizeof ( FT_Var_Axis ) +