[ft] Freetype crashing

Wed, 19 Dec 2012 11:20:59 -0800 

Hi all,
I have a test file here that when fed into MuPDF causes Freetype to die with a SEGV. 


It seems that in ft_stroker_border_export, we append the border points 
to the outline points; this is great, except border->num_points is an 
int, and outline->num_points is a short, hence we can overflow.



I can share the test file for this via direct email, but I can't post it 
to the list (or to a public bugtracker). I have a patch to fix the 
problem, but I'm the first to admit that it may not be ideal.


I submit it here for your delight, delectation, mocking opportunities etc.


Please let me know if there is anything else I can do to help get this 
fixed in the next version of freetype.


Merry Xmas!

Robin



diff --git a/src/base/ftstroke.c b/src/base/ftstroke.c
index 5399efe..8978d72 100644
--- a/src/base/ftstroke.c
+++ b/src/base/ftstroke.c
@@ -701,6 +701,8 @@
   ft_stroke_border_export( FT_StrokeBorder  border,
                            FT_Outline*      outline )
   {
+    if (outline->n_points < 0)
+      return;
     /* copy point locations */
     FT_ARRAY_COPY( outline->points + outline->n_points,
                    border->points,
@@ -743,6 +745,10 @@
     }
 
     outline->n_points = (short)( outline->n_points + border->num_points );
+    /* Check for overflow - int's won't fit in a short. */
+    if (outline->n_points != outline->n_points + border->num_points) {
+      outline->n_points = -1;
+    }
 
     FT_ASSERT( FT_Outline_Check( outline ) == 0 );
   }
@@ -2307,6 +2313,13 @@
       outline->n_contours = 0;
 
       FT_Stroker_Export( stroker, outline );
+
+      /* Check to see if the outline has overflowed */
+      if (outline->n_points < 0) {
+        FT_Outline_Done( glyph->library, outline );
+        error = FT_Err_Array_Too_Large;
+       goto Fail;
+      }
     }
 
     if ( destroy )
@@ -2396,6 +2409,13 @@
       outline->n_contours = 0;
 
       FT_Stroker_ExportBorder( stroker, border, outline );
+
+      /* Check to see if the outline has overflowed */
+      if (outline->n_points < 0) {
+        FT_Outline_Done( glyph->library, outline );
+        error = FT_Err_Array_Too_Large;
+       goto Fail;
+      }
     }
 
     if ( destroy )

_______________________________________________
Freetype mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/freetype






















					Reply via email to