From 4de0c58a01e5e30610c200e9aea98bc7db12c7ac Mon Sep 17 00:00:00 2001
From: Jeremy Tan <jtanx@outlook.com>
Date: Sun, 30 Jul 2017 10:20:48 +0800
Subject: [PATCH 3/6] Fix out of bounds read condition and buffer overflow
condition
* parsettf.c: Reading past the end of the fontnames array
* psread.c: Reading more data than is available in type1
* tottf.c: Use snprintf instead of sprintf
Closes #3096
---
fontforge/parsettf.c | 4 ++++
fontforge/psread.c | 5 +++++
fontforge/tottf.c | 2 +-
3 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/fontforge/parsettf.c b/fontforge/parsettf.c
index 982f86a51..90ac6eb62 100644
--- a/fontforge/parsettf.c
+++ b/fontforge/parsettf.c
@@ -3324,6 +3324,10 @@ return( NULL );
offsets[i] = getoffset(ttf,offsize);
dicts = malloc((count+1)*sizeof(struct topdicts *));
for ( i=0; i<count; ++i ) {
+ if (fontnames != NULL && fontnames[i] == NULL) {
+ LogError(_("Number of CFF font names is less than dict size: %d < %d"), i, count);
+ break;
+ }
dicts[i] = readcfftopdict(ttf,fontnames!=NULL?fontnames[i]:NULL,
offsets[i+1]-offsets[i], info);
if ( parent_dict!=NULL && parent_dict->fontmatrix_set ) {
diff --git a/fontforge/psread.c b/fontforge/psread.c
index 9e19f25b2..4e0aa2130 100644
--- a/fontforge/psread.c
+++ b/fontforge/psread.c
@@ -3665,6 +3665,11 @@ SplineChar *PSCharStringToSplines(uint8 *type1, int len, struct pscontext *conte
stack[sp++] = -(v-251)*256 - *type1++ - 108;
--len;
} else {
+ if (len < 4) {
+ LogError(_("Not enough data: %d < 4"), len);
+ len = 0;
+ break;
+ }
int val = (*type1<<24) | (type1[1]<<16) | (type1[2]<<8) | type1[3];
stack[sp++] = val;
type1 += 4;
diff --git a/fontforge/tottf.c b/fontforge/tottf.c
index a832a79ef..5f0ecaaad 100644
--- a/fontforge/tottf.c
+++ b/fontforge/tottf.c
@@ -3826,7 +3826,7 @@ void DefaultTTFEnglishNames(struct ttflangname *dummy, SplineFont *sf) {
if ( dummy->names[ttf_uniqueid]==NULL || *dummy->names[ttf_uniqueid]=='\0' ) {
time(&now);
tm = localtime(&now);
- sprintf( buffer, "%s : %s : %d-%d-%d",
+ snprintf( buffer, sizeof(buffer), "%s : %s : %d-%d-%d",
BDFFoundry?BDFFoundry:TTFFoundry?TTFFoundry:"FontForge 2.0",
sf->fullname!=NULL?sf->fullname:sf->fontname,
tm->tm_mday, tm->tm_mon+1, tm->tm_year+1900 );
--
2.13.3
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
1eb64d7dd0b6d6a82993feb799eba3f3
>
files
>
3
