From 335224beee2e72caab4ae56b76d6eb72001c3753 Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@chromium.org>
Date: Thu, 3 Mar 2022 16:33:40 -0500
Subject: [PATCH] [sfnt] Fix bounds check in SVG.

The `SVG_DOCUMENT_LIST_MINIMUM_SIZE` macro is non trivial and not
protected by parentheses. As a result, the expression
`table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE` expands to
`table_size - 2U + SVG_DOCUMENT_RECORD_SIZE` instead of the expected
`table_size - (2U + SVG_DOCUMENT_RECORD_SIZE)`. This causes an incorrect
bounds check which may lead to reading past the end of the `SVG ` table.

* src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in
parentheses.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179
---
 src/sfnt/ttsvg.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c
index 781a88b4d..cb70ee8b1 100644
--- a/src/sfnt/ttsvg.c
+++ b/src/sfnt/ttsvg.c
@@ -39,11 +39,11 @@
 
 
   /* NOTE: These table sizes are given by the specification. */
-#define SVG_TABLE_HEADER_SIZE           10U
-#define SVG_DOCUMENT_RECORD_SIZE        12U
-#define SVG_DOCUMENT_LIST_MINIMUM_SIZE  2U + SVG_DOCUMENT_RECORD_SIZE
-#define SVG_MINIMUM_SIZE                SVG_TABLE_HEADER_SIZE +        \
-                                        SVG_DOCUMENT_LIST_MINIMUM_SIZE
+#define SVG_TABLE_HEADER_SIZE           (10U)
+#define SVG_DOCUMENT_RECORD_SIZE        (12U)
+#define SVG_DOCUMENT_LIST_MINIMUM_SIZE  (2U + SVG_DOCUMENT_RECORD_SIZE)
+#define SVG_MINIMUM_SIZE                (SVG_TABLE_HEADER_SIZE +        \
+                                         SVG_DOCUMENT_LIST_MINIMUM_SIZE)
 
 
   typedef struct  Svg_