From 048a91e2682c1a8936ae34dbc7bd70291ec05410 Mon Sep 17 00:00:00 2001

From: Skef Iterum <unknown>

Date: Mon, 6 Jan 2020 03:05:06 -0800

Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the

 SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the

 SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the

 SFD_AssignLookups() function Add empty sf->fontname string if it isn't set,

 fixing #4089 #4090 and many   other potential issues (many downstream calls

 to strlen() on the value).

---

 fontforge/sfd.c  | 19 ++++++++++++++-----

 fontforge/sfd1.c |  2 +-

 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/fontforge/sfd.c b/fontforge/sfd.c

index 731be201e0..e8ca39ba83 100644

--- a/fontforge/sfd.c

+++ b/fontforge/sfd.c

@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {

     while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {

 	if ( cur!=NULL ) {

 	    if ( cur->spiro_cnt>=cur->spiro_max )

-		cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));

+		cur->spiros = realloc(cur->spiros,

+		                      (cur->spiro_max+=10)*sizeof(spiro_cp));

 	    cur->spiros[cur->spiro_cnt++] = cp;

 	}

     }

-    if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {

+    if (    cur!=NULL && cur->spiro_cnt>0

+         && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {

 	if ( cur->spiro_cnt>=cur->spiro_max )

-	    cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));

+	    cur->spiros = realloc(cur->spiros,

+	                          (cur->spiro_max+=1)*sizeof(spiro_cp));

 	memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));

 	cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;

     }

@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd,

     else if ( strmatch(tok,"LayerCount:")==0 )

     {

 	d->had_layer_cnt = true;

-	getint(sfd,&sf->layer_cnt);

-	if ( sf->layer_cnt>2 ) {

+	int layer_cnt_tmp;

+	getint(sfd,&layer_cnt_tmp);

+	if ( layer_cnt_tmp>2 ) {

 	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));

 	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));

+	    sf->layer_cnt = layer_cnt_tmp;

 	}

     }

     else if ( strmatch(tok,"Layer:")==0 )

@@ -8948,6 +8953,10 @@ exit( 1 );

 	}

     }

+    // Many downstream functions assume this isn't NULL (use strlen, etc.)

+    if ( sf->fontname==NULL)

+	sf->fontname = copy("");

+

     if ( fromdir )

 	sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);

     else if ( sf->subfontcnt!=0 ) {

diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c

index cf931059d0..b42f832678 100644

--- a/fontforge/sfd1.c

+++ b/fontforge/sfd1.c

@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {

     /* Fix up some gunk from really old versions of the sfd format */

     SFDCleanupAnchorClasses(&sf->sf);

-    if ( sf->sf.uni_interp==ui_unset )

+    if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )

 	sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);

     /* Fixup for an old bug */