[sfnt] Reject malformed SVG tables.
* src/sfnt/ttsvg.c (SVG_TABLE_HEADER_SIZE, SVG_DOCUMENT_RECORD_SIZE, SVG_DOCUMENT_LIST_MINIMUM_SIZE, SVG_MINIMUM_SIZE): New macros. (tt_face_load_svg): Check offsets. Check table and record sizes. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43918
This commit is contained in:
parent
706c79a1da
commit
112527dd44
|
@ -38,6 +38,14 @@
|
||||||
#include "ttsvg.h"
|
#include "ttsvg.h"
|
||||||
|
|
||||||
|
|
||||||
|
/* NOTE: These table sizes are given by the specification. */
|
||||||
|
#define SVG_TABLE_HEADER_SIZE 10U
|
||||||
|
#define SVG_DOCUMENT_RECORD_SIZE 12U
|
||||||
|
#define SVG_DOCUMENT_LIST_MINIMUM_SIZE 2U + SVG_DOCUMENT_RECORD_SIZE
|
||||||
|
#define SVG_MINIMUM_SIZE SVG_TABLE_HEADER_SIZE + \
|
||||||
|
SVG_DOCUMENT_LIST_MINIMUM_SIZE
|
||||||
|
|
||||||
|
|
||||||
typedef struct Svg_
|
typedef struct Svg_
|
||||||
{
|
{
|
||||||
FT_UShort version; /* table version (starting at 0) */
|
FT_UShort version; /* table version (starting at 0) */
|
||||||
|
@ -79,6 +87,9 @@
|
||||||
if ( error )
|
if ( error )
|
||||||
goto NoSVG;
|
goto NoSVG;
|
||||||
|
|
||||||
|
if ( table_size < SVG_MINIMUM_SIZE )
|
||||||
|
goto InvalidTable;
|
||||||
|
|
||||||
if ( FT_FRAME_EXTRACT( table_size, table ) )
|
if ( FT_FRAME_EXTRACT( table_size, table ) )
|
||||||
goto NoSVG;
|
goto NoSVG;
|
||||||
|
|
||||||
|
@ -90,7 +101,9 @@
|
||||||
svg->version = FT_NEXT_USHORT( p );
|
svg->version = FT_NEXT_USHORT( p );
|
||||||
offsetToSVGDocumentList = FT_NEXT_ULONG( p );
|
offsetToSVGDocumentList = FT_NEXT_ULONG( p );
|
||||||
|
|
||||||
if ( offsetToSVGDocumentList == 0 )
|
if ( offsetToSVGDocumentList < SVG_TABLE_HEADER_SIZE ||
|
||||||
|
offsetToSVGDocumentList > table_size -
|
||||||
|
SVG_DOCUMENT_LIST_MINIMUM_SIZE )
|
||||||
goto InvalidTable;
|
goto InvalidTable;
|
||||||
|
|
||||||
svg->svg_doc_list = (FT_Byte*)( table + offsetToSVGDocumentList );
|
svg->svg_doc_list = (FT_Byte*)( table + offsetToSVGDocumentList );
|
||||||
|
@ -101,6 +114,10 @@
|
||||||
FT_TRACE3(( "version: %d\n", svg->version ));
|
FT_TRACE3(( "version: %d\n", svg->version ));
|
||||||
FT_TRACE3(( "number of entries: %d\n", svg->num_entries ));
|
FT_TRACE3(( "number of entries: %d\n", svg->num_entries ));
|
||||||
|
|
||||||
|
if ( offsetToSVGDocumentList +
|
||||||
|
svg->num_entries * SVG_DOCUMENT_RECORD_SIZE > table_size )
|
||||||
|
goto InvalidTable;
|
||||||
|
|
||||||
svg->table = table;
|
svg->table = table;
|
||||||
svg->table_size = table_size;
|
svg->table_size = table_size;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue