You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
...but in cffwrite_dict.c:saveRealBlendOp() we’re trying to access numBlends * numRegions values:
for (k = 0; k <= numRegions; k++) {
int curIndex = (k + 1) * numBlends - 1;
for (j = 1; j < numBlends; j++) {
blendValues[curIndex] -= blendValues[curIndex - 1];
curIndex--;
}
}
I thought of changing the allocation in saveBlend() to:
unsigned short numBlendValues = (unsigned short)(numBlends * numRegions);
...but saveBlend() only writes numRegions values:
for (i = 0; i < numRegions; i++) {
blendValues[i + 1] = stackEntry->blend_val[i] + defaultValue;
}
...so I think there’s some bigger problem here.
Attached are two fuzzed fonts produced by AFL that will cause a crash in saveRealBlendOp() if you build tx with Address Sanitizer and run it with the -cff2 option: tx_cff2_crashes.zip
The text was updated successfully, but these errors were encountered:
saveBlend() appears to make certain assumptions about the input for a Private Dict operator expecting one value. There must be one value or when blended, numBlend must be one. Such assumptions maybe broken by fuzzed fonts.
In
cffread.c:saveBlend()
we’re allocatingnumBlends + numRegions
values:...but in
cffwrite_dict.c:saveRealBlendOp()
we’re trying to accessnumBlends * numRegions
values:I thought of changing the allocation in
saveBlend()
to:...but
saveBlend()
only writesnumRegions
values:...so I think there’s some bigger problem here.
Attached are two fuzzed fonts produced by AFL that will cause a crash in
saveRealBlendOp()
if you buildtx
with Address Sanitizer and run it with the-cff2
option:tx_cff2_crashes.zip
The text was updated successfully, but these errors were encountered: