File fontforge-CVE-2020-5395-5496.patch of Package fontforge.13795
diff --git a/fontforge/sfd.c b/fontforge/sfd.c
index d76a86c94..91d064c68 100644
--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
@@ -3885,13 +3885,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
if ( cur!=NULL ) {
if ( cur->spiro_cnt>=cur->spiro_max )
- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
+ cur->spiros = realloc(cur->spiros,
+ (cur->spiro_max+=10)*sizeof(spiro_cp));
cur->spiros[cur->spiro_cnt++] = cp;
}
}
- if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
+ if ( cur!=NULL && cur->spiro_cnt>0
+ && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
if ( cur->spiro_cnt>=cur->spiro_max )
- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
+ cur->spiros = realloc(cur->spiros,
+ (cur->spiro_max+=1)*sizeof(spiro_cp));
memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
}
@@ -7810,10 +7813,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
else if ( strmatch(tok,"LayerCount:")==0 )
{
d->had_layer_cnt = true;
- getint(sfd,&sf->layer_cnt);
- if ( sf->layer_cnt>2 ) {
+ int layer_cnt_tmp;
+ getint(sfd,&layer_cnt_tmp);
+ if ( layer_cnt_tmp>2 ) {
sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
+ sf->layer_cnt = layer_cnt_tmp;
}
}
else if ( strmatch(tok,"Layer:")==0 )
@@ -8766,6 +8771,10 @@ exit( 1 );
}
}
+ // Many downstream functions assume this isn't NULL (use strlen, etc.)
+ if ( sf->fontname==NULL)
+ sf->fontname = copy("");
+
if ( fromdir )
sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
else if ( sf->subfontcnt!=0 ) {
diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
index 34497d317..e45b6950a 100644
--- a/fontforge/sfd1.c
+++ b/fontforge/sfd1.c
@@ -671,7 +671,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
/* Fix up some gunk from really old versions of the sfd format */
SFDCleanupAnchorClasses(&sf->sf);
- if ( sf->sf.uni_interp==ui_unset )
+ if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
/* Fixup for an old bug */
--
2.24.1