bug 553272 - (freetype) validate counts in fvar header. r=blassey

modules/freetype2/README.moz-patches

@@ -0,0 +1,8 @@
+This directory contains freetype2 v2.3.12 downloaded from
+http://savannah.nongnu.org/download/freetype/
+
+Makefile.in is added for the mozilla build.
+
+Additional patch applied locally:
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=25e742c573e3b88e5a4e342733f1836466628ff8
+(Add overflow check to `fvar' table; see bug 553273)

modules/freetype2/src/truetype/ttgxvar.c

@@ -682,7 +682,11 @@
       if ( fvar_head.version != (FT_Long)0x00010000L                      ||
            fvar_head.countSizePairs != 2                                  ||
            fvar_head.axisSize != 20                                       ||
+           /* axisCount limit implied by 16-bit instanceSize */
+           fvar_head.axisCount > 0x3ffe                                   ||
            fvar_head.instanceSize != 4 + 4 * fvar_head.axisCount          ||
+           /* instanceCount limit implied by limited range of name IDs */
+           fvar_head.instanceCount > 0x7eff                               ||
            fvar_head.offsetToData + fvar_head.axisCount * 20U +
              fvar_head.instanceCount * fvar_head.instanceSize > table_len )
       {
@@ -693,7 +697,7 @@
       if ( FT_NEW( face->blend ) )
         goto Exit;
 
-      /* XXX: TODO - check for overflows */
+      /* cannot overflow 32-bit arithmetic because of limits above */
       face->blend->mmvar_len =
         sizeof ( FT_MM_Var ) +
         fvar_head.axisCount * sizeof ( FT_Var_Axis ) +