Type confusion between CFF_Size and TT_Size
Originally reported as https://bugs.chromium.org/p/chromium/issues/detail?id=1429372 .
The issue is the cast to TT_Size
in tt_size_reset_iterator
at ttgxvar.c#L1468 called from
FT_List_Iterate
in tt_apply_mvar
at ttgxvar.c#L1589 when called from cff_metrics_adjust
at cffdrivr.c#L1062. (TT_FaceRec_::var
appears to only be set at
sfobjs.c#L544, so cff_metrics_adjust
is always calling tt_apply_mvar
). The call itself is fine since CFF_Face
is a TT_Face
. However, CFF_Size
is not a TT_Size
.
It appears that tt_size_reset
protects against cff2 but it is still possible to get here with a CFF
font. When that happens tt_size_reset
accesses the CFF_Size
memory like a TT_Size
and there is an out of bounds access. (While a CFF
font isn't specified to vary, there is nothing technically preventing a CFF
font from providing fvar
and MVAR
tables and the metrics varying.)