Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mismatch between cffread.c:saveBlend() and cffwrite_dict.c:saveRealBlendOp() #940

Closed
cjchapman opened this issue Aug 29, 2019 · 1 comment · Fixed by #941
Closed

mismatch between cffread.c:saveBlend() and cffwrite_dict.c:saveRealBlendOp() #940

cjchapman opened this issue Aug 29, 2019 · 1 comment · Fixed by #941
Assignees
@blueshade7
Labels
bug c-tools tx

Comments

@cjchapman
Copy link
Contributor

cjchapman commented Aug 29, 2019
edited
Loading

In cffread.c:saveBlend() we’re allocating numBlends + numRegions values:

        unsigned short numBlendValues = (unsigned short)(numBlends + numRegions);
        float *blendValues = (float *)memNew(h, sizeof(abfOpEntry) * numBlendValues);

...but in cffwrite_dict.c:saveRealBlendOp() we’re trying to access numBlends * numRegions values:

    for (k = 0; k <= numRegions; k++) {
        int curIndex = (k + 1) * numBlends - 1;
        for (j = 1; j < numBlends; j++) {
            blendValues[curIndex] -= blendValues[curIndex - 1];
            curIndex--;
        }
    }

I thought of changing the allocation in saveBlend() to:

        unsigned short numBlendValues = (unsigned short)(numBlends * numRegions);

...but saveBlend() only writes numRegions values:

        for (i = 0; i < numRegions; i++) {
            blendValues[i + 1] = stackEntry->blend_val[i] + defaultValue;
        }

...so I think there’s some bigger problem here.

Attached are two fuzzed fonts produced by AFL that will cause a crash in saveRealBlendOp() if you build tx with Address Sanitizer and run it with the -cff2 option:
tx_cff2_crashes.zip
@blueshade7
Copy link
Contributor

blueshade7 commented Aug 29, 2019
edited
Loading

saveBlend() appears to make certain assumptions about the input for a Private Dict operator expecting one value. There must be one value or when blended, numBlend must be one. Such assumptions maybe broken by fuzzed fonts.

@blueshade7 blueshade7 mentioned this issue Aug 29, 2019
Merged
miguelsousa pushed a commit that referenced this issue Aug 30, 2019
@blueshade7 @miguelsousa
[tx] Fail if numBlends is neither 0 or 1 (#941)
97eb224 
* saveBlend to handle numBlends==0 or 1

Fixes #940
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blueshade7 blueshade7

Labels
bug c-tools tx
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #940: saveBlend() handles zero or one blend only adobe-type-tools/afdko
2 participants
@cjchapman @blueshade7