File fontforge-CVE-2020-5395-5496.patch of Package fontforge

Overview Repositories Revisions Requests Users Attributes Meta

File fontforge-CVE-2020-5395-5496.patch of Package fontforge (Revision db0813d36b1aaecc874371d85ba7b219)

Currently displaying revision db0813d36b1aaecc874371d85ba7b219 , Show latest

diff --git a/fontforge/sfd.c b/fontforge/sfd.c
index d76a86c94..91d064c68 100644
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -3885,13 +3885,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
     while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
 	if ( cur!=NULL ) {
 	    if ( cur->spiro_cnt>=cur->spiro_max )
-		cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
+		cur->spiros = realloc(cur->spiros,
+		                      (cur->spiro_max+=10)*sizeof(spiro_cp));
 	    cur->spiros[cur->spiro_cnt++] = cp;
 	}
     }
-    if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
+    if (    cur!=NULL && cur->spiro_cnt>0
+         && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
 	if ( cur->spiro_cnt>=cur->spiro_max )
-	    cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
+	    cur->spiros = realloc(cur->spiros,
+	                          (cur->spiro_max+=1)*sizeof(spiro_cp));
 	memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
 	cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
     }
@@ -7810,10 +7813,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
     else if ( strmatch(tok,"LayerCount:")==0 )
     {
 	d->had_layer_cnt = true;
-	getint(sfd,&sf->layer_cnt);
-	if ( sf->layer_cnt>2 ) {
+	int layer_cnt_tmp;
+	getint(sfd,&layer_cnt_tmp);
+	if ( layer_cnt_tmp>2 ) {
 	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
 	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
+	    sf->layer_cnt = layer_cnt_tmp;
 	}
     }
     else if ( strmatch(tok,"Layer:")==0 )
@@ -8766,6 +8771,10 @@ exit( 1 );
 	}
     }
 
+    // Many downstream functions assume this isn't NULL (use strlen, etc.)
+    if ( sf->fontname==NULL)
+	sf->fontname = copy("");
+
     if ( fromdir )
 	sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
     else if ( sf->subfontcnt!=0 ) {
diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
index 34497d317..e45b6950a 100644
--- a/fontforge/sfd1.c
+++ b/fontforge/sfd1.c
@@ -671,7 +671,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
 
     /* Fix up some gunk from really old versions of the sfd format */
     SFDCleanupAnchorClasses(&sf->sf);
-    if ( sf->sf.uni_interp==ui_unset )
+    if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
 	sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
 
     /* Fixup for an old bug */
-- 
2.24.1

Places

File fontforge-CVE-2020-5395-5496.patch of Package fontforge (Revision db0813d36b1aaecc874371d85ba7b219)

Places