Skip to content

Commit 0067441

Browse files
QuLogicQuLogic
committed
Always NUL-terminate TrueType font table buffer.
This fixes some possible heap buffer overflows, such as the following triggered by our cmmi10.ttf: ``` ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000235709 at pc 0x7f95efd3c48a bp 0x7ffe41b6ecc0 sp 0x7ffe41b6ecb0 READ of size 1 at 0x617000235709 thread T0 #0 0x7f95efd3c489 in utf16be_to_ascii extern/ttconv/pprdrv_tt.cpp:178 #1 0x7f95efd3c489 in Read_name(TTFONT*) extern/ttconv/pprdrv_tt.cpp:339 #2 0x7f95efd499ef in read_font(...) extern/ttconv/pprdrv_tt.cpp:1325 #3 0x7f95efd4c602 in get_pdf_charprocs(...) extern/ttconv/pprdrv_tt.cpp:1420 #4 0x7f95efd35c22 in py_get_pdf_charprocs src/_ttconv.cpp:217 0x617000235709 is located 1 bytes to the right of 648-byte region [0x617000235480,0x617000235708) allocated by thread T0 here: #0 0x7f9612262a38 in __interceptor_calloc (/usr/lib64/libasan.so.4+0xdea38) #1 0x7f95efd3b261 in GetTable(TTFONT*, char const*) extern/ttconv/pprdrv_tt.cpp:140 ```
1 parent 3520374 commit 0067441

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

extern/ttconv/pprdrv_tt.cpp

+4-1
Original file line numberDiff line numberDiff line change
@@ -137,7 +137,7 @@ BYTE *GetTable(struct TTFONT *font, const char *name)
137137

138138
offset = getULONG( ptr + 8 );
139139
length = getULONG( ptr + 12 );
140-
table = (BYTE*)calloc( sizeof(BYTE), length );
140+
table = (BYTE*)calloc( sizeof(BYTE), length + 2 );
141141

142142
try
143143
{
@@ -160,6 +160,9 @@ BYTE *GetTable(struct TTFONT *font, const char *name)
160160
free(table);
161161
throw;
162162
}
163+
/* Always NUL-terminate; add two in case of UTF16 strings. */
164+
table[length] = '\0';
165+
table[length + 1] = '\0';
163166
return table;
164167
}
165168

0 commit comments

Comments
 (0)