From 475f6d25cb299acc0634ec3a6112cefc469423a9 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 3 Sep 2018 09:00:58 +0200
Subject: [PATCH] [sfnt] Fix heap buffer overflow in CPAL handling.

* src/sfnt/ttcpal.c (tt_face_palette_set): Fix boundary test.
(tt_face_load_cpal): Updated.
---
 ChangeLog         |  7 +++++++
 src/sfnt/ttcpal.c | 17 ++++++++++-------
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a748921e7..0e40b1698 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-09-03  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix heap buffer overflow in CPAL handling.
+
+	* src/sfnt/ttcpal.c (tt_face_palette_set): Fix boundary test.
+	(tt_face_load_cpal): Updated.
+
 2018-09-01  Werner Lemberg  <wl@gnu.org>
 
 	Remove `FT_Outline_{New,Done}_Internal'.
diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c
index be1b00412..985224318 100644
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -220,7 +220,8 @@
                        face->palette_data.num_palette_entries ) )
       goto NoCpal;
 
-    tt_face_palette_set( face, 0 );
+    if ( tt_face_palette_set( face, 0 ) )
+      goto InvalidTable;
 
     return FT_Err_Ok;
 
@@ -231,6 +232,8 @@
     FT_FRAME_RELEASE( table );
     FT_FREE( cpal );
 
+    face->cpal = NULL;
+
     /* arrays in `face->palette_data' and `face->palette' */
     /* are freed in `sfnt_done_face'                      */
 
@@ -267,20 +270,20 @@
     FT_Color*  q;
     FT_Color*  limit;
 
-    FT_ULong  record_offset;
+    FT_UShort  color_index;
 
 
     if ( !cpal || palette_index >= face->palette_data.num_palettes )
       return FT_THROW( Invalid_Argument );
 
-    offset        = cpal->color_indices + 2 * palette_index;
-    record_offset = COLOR_SIZE * FT_PEEK_USHORT( offset );
+    offset      = cpal->color_indices + 2 * palette_index;
+    color_index = FT_PEEK_USHORT( offset );
 
-    if ( record_offset + COLOR_SIZE * face->palette_data.num_palette_entries >
-           cpal->table_size )
+    if ( color_index + face->palette_data.num_palette_entries >
+           cpal->num_colors )
       return FT_THROW( Invalid_Table );
 
-    p     = cpal->colors + record_offset;
+    p     = cpal->colors + COLOR_SIZE * color_index;
     q     = face->palette;
     limit = q + face->palette_data.num_palette_entries;