Add protection against out-of-bounds read in ttconv #20629
Conversation
There was a problem hiding this comment.
Awesome! 🎉
Can we introduce a test (likely the code sample in #20628 (comment)) here?
(that raises another bug, but is there a way we can trigger only this out-of-bounds error?)
Or.. testing ttconv snippets are out of scope of Matplotlib?
|
You should try to use the linking keywords when you know this fixes the issue. Since I've merged the other PR, please add a test here. |
Sorry, about that. I've updated the other open PRs.
Thanks! I'll rebase the PR. It would be super difficult to test the initial issue, i.e. a test that would fail on an out-of-bounds read. The table search exits in most cases by chance. At some point, random bytes interpreted as a table name make the algorithm think it is already beyond the sought for entry. To test this manually, I ran I can, however, add a test, like the example, to make sure that the output is valid (but this test would succeed in ~99% of the cases even without this PR). |
|
Yes, but it would at least check that the change from the other PR wouldn't break. We'll have to live with the possibility of a flaky error if this one resurfaces, but that's unlikely anyway. I was able to replicate this issue in valgrind, so at least that's known to be fixed. |
This commit adds to counter to track how many tables are read from the table directory and stops the search for further tables early if the total number of tables has been reached.
The new test case checks that Type 42 fonts without the prep table (here stix), are properly embedded. The test succeeds if the embedded font contains values for searchRange, entrySelector, rangeShift; and no erroneous out-of-bounds read occurs while searching for the missing prep table.
1073013 to
deefcba
Compare
…629-on-v3.4.x Backport PR #20629 on branch v3.4.x (Add protection against out-of-bounds read in ttconv)
This PR addresses #20628.
PR Summary
The member variable
font->numTablesindicates the number of tables stored in the directory table. The size of the memory allocated for the directory table is derived from this variable. This PR adds a safe-guard inttfont_sfnts()to preventptrto move beyond the end of the table and thus prevent read-access beyond the memory allocated forfont->offset_table.See #20628
PR Checklist
pytestpasses).flake8on changed files to check).flake8-docstringsand runflake8 --docstring-convention=all).doc/users/next_whats_new/(follow instructions in README.rst there).doc/api/next_api_changes/(follow instructions in README.rst there).