Bug 96676

Summary: Check range of FcWeightFromOpenType argument.
Product: fontconfig Reporter: Tobias Stoeckmann <tobias>
Component: libraryAssignee: fontconfig-bugs
Status: RESOLVED FIXED QA Contact: Behdad Esfahbod <freedesktop>
Severity: normal    
Priority: medium CC: akira, freedesktop, freedesktop
Version: 2.11   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: patch to fix this issue

Description Tobias Stoeckmann 2016-06-25 17:14:15 UTC 
Created attachment 124719 [details] [review]
patch to fix this issue

The argument to FcWeightToOpenType is already properly upper bounded,
but the same check should be done in FcWeightFromOpenType, too.

This fixes an out of boundary access while iterating over array on
malicious font input.
Comment 1 Behdad Esfahbod 2016-06-29 19:17:39 UTC 
Actually I prefer if we extrapolate larger numbers instead of rejecting them.  We already rely on that in the GX variation fonts codepath.
Comment 2 Akira TAGOH 2016-06-30 02:54:16 UTC 
I guess this may be what you prefer right?

diff --git a/src/fcweight.c b/src/fcweight.c
index 1a3b608..036a518 100644
--- a/src/fcweight.c
+++ b/src/fcweight.c
@@ -75,6 +75,7 @@ FcWeightFromOpenType (int ot_weight)
                case 9: ot_weight = 900; break;
            }
        }
+       ot_weight = FC_MIN (ot_weight, map[(sizeof (map) / sizeof (map[0])) - 1].ot);
 
        for (i = 1; ot_weight > map[i].ot; i++)
          ;
Comment 3 Akira TAGOH 2016-07-04 02:38:46 UTC 
*** Bug 96609 has been marked as a duplicate of this bug. ***
Comment 4 Akira TAGOH 2016-07-08 05:19:17 UTC 
fixed in git as comment#2.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.