Fix potential overflow issues in WPF native code

src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/intsafe_private_copy.h

@@ -138,4 +138,18 @@ ULongSub(
 
     return hr;
 }
+
+//
+// Convenience wrappers for the codebase's uint32 type (unsigned long).
+// These forward to the UINT/ULONG versions above, bridging the type mismatch.
+//
+static __inline HRESULT UIntAdd32(uint32 a, uint32 b, uint32 *pResult)
+{
+    return UIntAdd((UINT)a, (UINT)b, (UINT *)pResult);
+}
+static __inline HRESULT ULongMult32(uint32 a, uint32 b, uint32 *pResult)
+{
+    return ULongMult((ULONG)a, (ULONG)b, (ULONG *)pResult);
+}
+
 #endif //__INTSAFE_PRIVATE_COPY_H

src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/makeglst.cpp

@@ -148,6 +148,8 @@ Thanks,
 #include "ttferror.h" /* for error codes */
 #include "ttfdelta.h"
 #include "sfntoff.h"
+#include "intsafe_private_copy.h"
+#include "ttf_safe_checks.h"
 
 #define WIN_ANSI_MIDDLEDOT 0xB7
 #define WIN_ANSI_BULLET 0x2219
@@ -176,7 +178,18 @@ USHORT usHighByte;
         {
             if (usFirstChar >= 0xf000)
             {
-                if (*ppulKeepSymbolCodeList = (CHAR_ID *)Mem_Alloc(usCharListCount * sizeof(CHAR_ID)))
+                if (TTF_SAFE_CHECKS_ENABLED())
+                {
+                    uint32 ulAllocSize;
+                    if (ULongMult32((uint32)usCharListCount, (uint32)sizeof(CHAR_ID), &ulAllocSize) != S_OK)
+                        return ERR_MEM;
+                    *ppulKeepSymbolCodeList = (CHAR_ID *)Mem_Alloc(ulAllocSize);
+                }
+                else
+                {
+                    *ppulKeepSymbolCodeList = (CHAR_ID *)Mem_Alloc(usCharListCount * sizeof(CHAR_ID));
+                }
+                if (*ppulKeepSymbolCodeList)
                 {
                     /* In user range -> this is a symbol font so go ahead offseting it */
                     usHighByte = (unsigned short)(usFirstChar & 0xff00);
@@ -220,7 +233,18 @@ int16 EnsureNonEmptyGlyfTable(
     uint32 * aulLoca;
 
     /* allocate memory for and read loca table */
-    aulLoca = (uint32 *)Mem_Alloc( (usGlyphCount + 1) * sizeof( uint32 ));
+    if (TTF_SAFE_CHECKS_ENABLED())
+    {
+        uint32 ulLocaCount = (uint32)usGlyphCount + 1;
+        uint32 ulAllocSize;
+        if (ULongMult32(ulLocaCount, (uint32)sizeof( uint32 ), &ulAllocSize) != S_OK)
+            return ERR_MEM;
+        aulLoca = (uint32 *)Mem_Alloc( ulAllocSize );
+    }
+    else
+    {
+        aulLoca = (uint32 *)Mem_Alloc( (usGlyphCount + 1) * sizeof(uint32) );
+    }
     if ( aulLoca == NULL )
         return ERR_MEM;
 
@@ -328,8 +352,22 @@ CMAP_SUBHEADER_GEN CmapSubHeader;
     if ((ulGlyfOffset = TTTableOffset( pInputBufferInfo, GLYF_TAG )) == DIRECTORY_ERROR)
         return (ERR_MISSING_GLYF);
 
-    usnMaxComponents = Maxp.maxComponentElements * Maxp.maxComponentDepth; /* maximum total possible */
-    pausComponents = (uint16 *)Mem_Alloc(usnMaxComponents * sizeof(uint16));
+    if (TTF_SAFE_CHECKS_ENABLED())
+    {
+        uint32 ulMaxComp, ulAllocSize;
+        if (ULongMult32((uint32)Maxp.maxComponentElements, (uint32)Maxp.maxComponentDepth, &ulMaxComp) != S_OK ||
+            ULongMult32(ulMaxComp, (uint32)sizeof(uint16), &ulAllocSize) != S_OK)
+            return(ERR_MEM);
+        if (ulMaxComp > (uint32)USHRT_MAX)
+            return(ERR_INVALID_MAXP);
+        usnMaxComponents = (uint16)ulMaxComp;
+        pausComponents = (uint16 *)Mem_Alloc(ulAllocSize);
+    }
+    else
+    {
+        usnMaxComponents = Maxp.maxComponentElements * Maxp.maxComponentDepth;
+        pausComponents = (uint16 *)Mem_Alloc(usnMaxComponents * sizeof(uint16));
+    }
     if (pausComponents == NULL)
         return(ERR_MEM);
 

src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/modcmap.cpp

@@ -14,6 +14,8 @@
 #include <stdlib.h> /* for qsort */
 
 #include "typedefs.h"
+#include "intsafe_private_copy.h"
+#include "ttf_safe_checks.h"
 #include "ttff.h"
 #include "ttfacc.h"
 #include "ttfcntrl.h"
@@ -46,7 +48,17 @@ struct cmapoffsetrecordkeeper      /* housekeeping structure */
 PRIVATE int16 InitCmapOffsetArray(PCMAPOFFSETRECORDKEEPER pKeeper, 
                                   uint16 usRecordCount)
 {
-    pKeeper->pCmapOffsetArray = (CmapOffsetRecord *) Mem_Alloc(usRecordCount * sizeof(*(pKeeper->pCmapOffsetArray)));
+    if (TTF_SAFE_CHECKS_ENABLED())
+    {
+        uint32 ulAllocSize;
+        if (ULongMult32((uint32)usRecordCount, (uint32)sizeof(*(pKeeper->pCmapOffsetArray)), &ulAllocSize) != S_OK)
+            return ERR_MEM;
+        pKeeper->pCmapOffsetArray = (CmapOffsetRecord *) Mem_Alloc(ulAllocSize);
+    }
+    else
+    {
+        pKeeper->pCmapOffsetArray = (CmapOffsetRecord *) Mem_Alloc(usRecordCount * sizeof(*(pKeeper->pCmapOffsetArray)));
+    }
     if (pKeeper->pCmapOffsetArray == NULL)
         return ERR_MEM;
     pKeeper->usCmapOffsetArrayLen = usRecordCount;
@@ -152,7 +164,17 @@ uint16 i,j;
 uint16 usBytesRead;
 uint16 usPadBytes;
 
-    pIndexArray = (IndexOffset *) Mem_Alloc(usSubTableCount * sizeof(*pIndexArray));
+    if (TTF_SAFE_CHECKS_ENABLED())
+    {
+        uint32 ulAllocSize;
+        if (ULongMult32((uint32)usSubTableCount, (uint32)sizeof(*pIndexArray), &ulAllocSize) != S_OK)
+            return ERR_MEM;
+        pIndexArray = (IndexOffset *) Mem_Alloc(ulAllocSize);
+    }
+    else
+    {
+        pIndexArray = (IndexOffset *) Mem_Alloc(usSubTableCount * sizeof(*pIndexArray));
+    }
     if (pIndexArray == NULL)
         return ERR_MEM;
 
@@ -384,7 +406,17 @@ uint16 usBytesRead;
         return ERR_INVALID_CMAP;  /* huh?*/
 
     usSubTableCount = GetCmapSubtableCount(pOutputBufferInfo, ulCmapOffset);
-    pCmapTableLoc = (CMAP_TABLELOC *)Mem_Alloc(SIZEOF_CMAP_TABLELOC * usSubTableCount);
+    if (TTF_SAFE_CHECKS_ENABLED())
+    {
+        uint32 ulAllocSize;
+        if (ULongMult32((uint32)SIZEOF_CMAP_TABLELOC, (uint32)usSubTableCount, &ulAllocSize) != S_OK)
+            return ERR_MEM;
+        pCmapTableLoc = (CMAP_TABLELOC *)Mem_Alloc(ulAllocSize);
+    }
+    else
+    {
+        pCmapTableLoc = (CMAP_TABLELOC *)Mem_Alloc(SIZEOF_CMAP_TABLELOC * usSubTableCount);
+    }
     if (pCmapTableLoc == NULL)
         return ERR_MEM;
     ulCmapSubTableDirOffset  = ulCmapOffset + GetGenericSize( CMAP_HEADER_CONTROL );
@@ -434,8 +466,24 @@ uint16 usBytesRead;
             if (errCode != NO_ERROR)
                 break;
 
-            NewFormat4Segments = (FORMAT4_SEGMENTS *) Mem_Alloc( (usnCharGlyphMapListCount+1) * SIZEOF_FORMAT4_SEGMENTS ); /* add one for the extra dummy segment */
-            NewFormat4GlyphIdArray = (GLYPH_ID *) Mem_Alloc( usnCharGlyphMapListCount * sizeof( *NewFormat4GlyphIdArray ) );
+            if (TTF_SAFE_CHECKS_ENABLED())
+            {
+                uint32 ulSegAllocSize, ulGlyphAllocSize;
+                uint32 ulSegCount32 = (uint32)usnCharGlyphMapListCount + 1; /* add one for extra dummy segment */
+                if (ULongMult32(ulSegCount32, (uint32)SIZEOF_FORMAT4_SEGMENTS, &ulSegAllocSize) != S_OK ||
+                    ULongMult32((uint32)usnCharGlyphMapListCount, (uint32)sizeof( *NewFormat4GlyphIdArray ), &ulGlyphAllocSize) != S_OK)
+                {
+                    errCode = ERR_MEM;
+                    break;
+                }
+                NewFormat4Segments = (FORMAT4_SEGMENTS *) Mem_Alloc( ulSegAllocSize );
+                NewFormat4GlyphIdArray = (GLYPH_ID *) Mem_Alloc( ulGlyphAllocSize );
+            }
+            else
+            {
+                NewFormat4Segments = (FORMAT4_SEGMENTS *) Mem_Alloc( (usnCharGlyphMapListCount + 1) * SIZEOF_FORMAT4_SEGMENTS ); /* add one for the extra dummy segment */
+                NewFormat4GlyphIdArray = (GLYPH_ID *) Mem_Alloc( usnCharGlyphMapListCount * sizeof( *NewFormat4GlyphIdArray ) );
+            }
 
             if ( NewFormat4Segments == NULL || NewFormat4GlyphIdArray == NULL )
             {
@@ -453,7 +501,7 @@ uint16 usBytesRead;
 
             if (CmapFormat4.length <= CmapSubHeader.length) /* if the new length is smaller than the old, we can write it in the old place */
             {
-                if (pCmapTableLoc[i].platformID == MS_PLATFORMID)  /* only applies to this platform */
+                if (pCmapTableLoc[i].platformID == MS_PLATFORMID && (!TTF_SAFE_CHECKS_ENABLED() || usnCharGlyphMapListCount > 0))  /* only applies to this platform */
                 {
                     *pOS2MinChr = pCharGlyphMapList[0].usCharCode;
                     *pOS2MaxChr = pCharGlyphMapList[usnCharGlyphMapListCount-1].usCharCode;
@@ -482,7 +530,20 @@ uint16 usBytesRead;
             if (errCode != NO_ERROR)
                 break;
 
-            NewFormat12Groups = (FORMAT12_GROUPS *) Mem_Alloc( (ulnCharGlyphMapListCount) * SIZEOF_FORMAT12_GROUPS );
+            if (TTF_SAFE_CHECKS_ENABLED())
+            {
+                uint32 ulAllocSize;
+                if (ULongMult32((uint32)ulnCharGlyphMapListCount, (uint32)SIZEOF_FORMAT12_GROUPS, &ulAllocSize) != S_OK)
+                {
+                    errCode = ERR_MEM;
+                    break;
+                }
+                NewFormat12Groups = (FORMAT12_GROUPS *) Mem_Alloc(ulAllocSize);
+            }
+            else
+            {
+                NewFormat12Groups = (FORMAT12_GROUPS *) Mem_Alloc(ulnCharGlyphMapListCount * SIZEOF_FORMAT12_GROUPS);
+            }
             if ( NewFormat12Groups == NULL)
             {
                 errCode = ERR_MEM;
@@ -495,7 +556,7 @@ uint16 usBytesRead;
             /* Donald, if you don't care if the Cmap subtable grows, you could comment out the next line */
             if (CmapFormat12.length <= CmapSubHeader.length) /* if the new length is smaller than the old, we can write it in the old place */
             {
-                if (pCmapTableLoc[i].platformID == MS_PLATFORMID)  /* only applies to this platform */
+                if (pCmapTableLoc[i].platformID == MS_PLATFORMID && (!TTF_SAFE_CHECKS_ENABLED() || ulnCharGlyphMapListCount > 0))  /* only applies to this platform */
                 {
                     *pOS2MinChr = (uint16)pCharGlyphMapListEx[0].ulCharCode;
                     *pOS2MaxChr = (uint16)pCharGlyphMapListEx[ulnCharGlyphMapListCount-1].ulCharCode;

src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/modglyf.cpp

@@ -23,6 +23,8 @@
 #include "util.h"
 #include "modglyf.h"
 #include "ttferror.h"    /* for error codes */
+#include "intsafe_private_copy.h"
+#include "ttf_safe_checks.h"
 
 /* ------------------------------------------------------------------- */
 /* this function modifies the glyf and loca tables by copying only glyfs
@@ -60,7 +62,18 @@ HEAD Head;
 
 /* allocate memory for and read loca table */
 
-    aulLoca = (uint32 *)Mem_Alloc( (usGlyphCount + 1) * sizeof( uint32 ));
+    if (TTF_SAFE_CHECKS_ENABLED()) 
+    {
+        uint32 ulLocaCount = (uint32)usGlyphCount + 1;
+        uint32 ulAllocSize;
+        if (ULongMult32(ulLocaCount, (uint32)sizeof( uint32 ), &ulAllocSize) != S_OK)
+            return ERR_MEM;
+        aulLoca = (uint32 *)Mem_Alloc( ulAllocSize );
+    }
+    else 
+    {
+        aulLoca = (uint32 *)Mem_Alloc( (usGlyphCount + 1) * sizeof( uint32 ));
+    }
     if ( aulLoca == NULL )
         return ERR_MEM;
 
@@ -120,18 +133,56 @@ HEAD Head;
 
             if ( ulGlyphLength )
             {
-                if ((errCode = CopyBlockOver( pOutputBufferInfo, pInputBufferInfo, ulOutGlyfOffset + ulOutLoca, 
-                        ulGlyfOffset + aulLoca[ i ], ulGlyphLength )) != NO_ERROR)
-                    break;
+               if (TTF_SAFE_CHECKS_ENABLED()) 
+               {
+                    uint32 ulOutOff, ulInOff;
+                    if (UIntAdd32(ulOutGlyfOffset, ulOutLoca, &ulOutOff) != S_OK ||
+                        UIntAdd32(ulGlyfOffset, aulLoca[i], &ulInOff) != S_OK)
+                    {
+                        errCode = ERR_GENERIC;
+                        break;
+                    }
+                    if ((errCode = CopyBlockOver( pOutputBufferInfo, pInputBufferInfo, ulOutOff, 
+                            ulInOff, ulGlyphLength )) != NO_ERROR)
+                        break;
+                }
+                else 
+                {
+                    if ((errCode = CopyBlockOver( pOutputBufferInfo, pInputBufferInfo, ulOutGlyfOffset + ulOutLoca, 
+                            ulGlyfOffset + aulLoca[ i ], ulGlyphLength )) != NO_ERROR)
+                        break;
+                }
             }
         }
         assert((ulOutLoca & 1) != 1);
         aulLoca[ i ] = ulOutLoca;
         ulOutLoca += ulGlyphLength;
+        if (TTF_SAFE_CHECKS_ENABLED())
+        {
+            if (ulOutLoca < ulGlyphLength)
+            {
+                errCode = ERR_GENERIC;
+                break;
+            }
+        }
         if (ulOutLoca & 1)
         {       /* the glyph offset is on an odd-byte boundry. get ready for next time */
-            if ((errCode = WriteByte( pOutputBufferInfo, 0, ulOutGlyfOffset + ulOutLoca)) != NO_ERROR)
-                break;
+            if (TTF_SAFE_CHECKS_ENABLED()) 
+            {
+                uint32 ulPadOff;
+                if (UIntAdd32(ulOutGlyfOffset, ulOutLoca, &ulPadOff) != S_OK)
+                {
+                    errCode = ERR_GENERIC;
+                    break;
+                }
+                if ((errCode = WriteByte( pOutputBufferInfo, 0, ulPadOff)) != NO_ERROR)
+                    break;
+            }
+            else 
+            {
+                if ((errCode = WriteByte( pOutputBufferInfo, 0, ulOutGlyfOffset + ulOutLoca)) != NO_ERROR)
+                    break;
+            }
             ++ulOutLoca;
         }
     }