As we do not check the status after _cairo_output_stream_printf
and _cairo_memory_stream_copy (which are more common operations)
anyway.
This simplifies the code, but keeps it correct, as the status
will be propagated anyway, just a bit later.
Now the SVG surface should work correctly work with bounded and unbounded image (-like) and recording surfaces with NONE and REPEAT extends as source for all operations.
Fill or stroke with an unbounded surface as source now means using clip or mask respectively.
Fix using unitialized memory in the SVG surface.
Also fix unintialized memory and working with offsetted images in the recording surface.
This function parses some raw font data and it trusts the font to be
well-formed. This means that a font can just say "this segment is a
gigabyte large" and the code will happily jump ahead in memory. Bad
things then happen in practice.
Fix this by adding lots of bounds check.
Also, an existing bounds check makes sure we are still before the end of
the data, but then happily reads the next six bytes. Fix this by making
sure we actually have six bytes of data.
No regression test since the last few times I tried to do this for font
issues, I ended up with a large/huge blob of font data. Too large for
the test suite.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27969
Signed-off-by: Uli Schlachter <psychon@znc.in>
Tested with valgrind. Before this patch, I got the following "definitely
lost" entry, which is gone afterwards:
94,416 bytes in 1 blocks are definitely lost in loss record 427 of 427
at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B053F8: cairo_truetype_font_write_glyf_table (cairo-truetype-subset.c:625)
by 0x4B06219: cairo_truetype_font_generate (cairo-truetype-subset.c:991)
by 0x4B06917: cairo_truetype_subset_init_internal (cairo-truetype-subset.c:1159)
by 0x4B06D72: _cairo_truetype_subset_init_pdf (cairo-truetype-subset.c:1255)
by 0x4B6B113: _cairo_pdf_surface_emit_truetype_font_subset (cairo-pdf-surface.c:5892)
by 0x4B6C2AD: _cairo_pdf_surface_emit_unscaled_font_subset (cairo-pdf-surface.c:6366)
by 0x4B02FC7: _cairo_sub_font_collect (cairo-scaled-font-subsets.c:741)
by 0x4B03A7A: _cairo_scaled_font_subsets_foreach_internal (cairo-scaled-font-subsets.c:1062)
by 0x4B03B21: _cairo_scaled_font_subsets_foreach_unscaled (cairo-scaled-font-subsets.c:1090)
by 0x4B6C3ED: _cairo_pdf_surface_emit_font_subsets (cairo-pdf-surface.c:6412)
by 0x4B62B1A: _cairo_pdf_surface_finish (cairo-pdf-surface.c:2222)
To reproduce, run the test case from the below link.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28023
Signed-off-by: Uli Schlachter <psychon@znc.in>
