* src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
This commit is contained in:
parent
7b855ed9cf
commit
53c5e4bd87
|
@ -1,3 +1,7 @@
|
||||||
|
2018-09-12 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
* src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
|
||||||
|
|
||||||
2018-09-10 Armin Hasitzka <prince.cherusker@gmail.com>
|
2018-09-10 Armin Hasitzka <prince.cherusker@gmail.com>
|
||||||
|
|
||||||
* src/pshinter/pshrec.c (t2_hints_stems): Mask numeric overflow.
|
* src/pshinter/pshrec.c (t2_hints_stems): Mask numeric overflow.
|
||||||
|
|
|
@ -1531,24 +1531,51 @@
|
||||||
|
|
||||||
if ( gvar_head.flags & 1 )
|
if ( gvar_head.flags & 1 )
|
||||||
{
|
{
|
||||||
|
FT_ULong limit = gvar_start + table_len;
|
||||||
|
|
||||||
|
|
||||||
/* long offsets (one more offset than glyphs, to mark size of last) */
|
/* long offsets (one more offset than glyphs, to mark size of last) */
|
||||||
if ( FT_FRAME_ENTER( ( blend->gv_glyphcnt + 1 ) * 4L ) )
|
if ( FT_FRAME_ENTER( ( blend->gv_glyphcnt + 1 ) * 4L ) )
|
||||||
goto Exit;
|
goto Exit;
|
||||||
|
|
||||||
for ( i = 0; i <= blend->gv_glyphcnt; i++ )
|
for ( i = 0; i <= blend->gv_glyphcnt; i++ )
|
||||||
|
{
|
||||||
blend->glyphoffsets[i] = offsetToData + FT_GET_ULONG();
|
blend->glyphoffsets[i] = offsetToData + FT_GET_ULONG();
|
||||||
|
/* use `>', not `>=' */
|
||||||
|
if ( blend->glyphoffsets[i] > limit )
|
||||||
|
{
|
||||||
|
FT_TRACE2(( "ft_var_load_gvar:"
|
||||||
|
" invalid glyph variation data offset for index %d\n",
|
||||||
|
i ));
|
||||||
|
error = FT_THROW( Invalid_Table );
|
||||||
|
goto Exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
FT_FRAME_EXIT();
|
FT_FRAME_EXIT();
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
FT_ULong limit = gvar_start + table_len;
|
||||||
|
|
||||||
|
|
||||||
/* short offsets (one more offset than glyphs, to mark size of last) */
|
/* short offsets (one more offset than glyphs, to mark size of last) */
|
||||||
if ( FT_FRAME_ENTER( ( blend->gv_glyphcnt + 1 ) * 2L ) )
|
if ( FT_FRAME_ENTER( ( blend->gv_glyphcnt + 1 ) * 2L ) )
|
||||||
goto Exit;
|
goto Exit;
|
||||||
|
|
||||||
for ( i = 0; i <= blend->gv_glyphcnt; i++ )
|
for ( i = 0; i <= blend->gv_glyphcnt; i++ )
|
||||||
|
{
|
||||||
blend->glyphoffsets[i] = offsetToData + FT_GET_USHORT() * 2;
|
blend->glyphoffsets[i] = offsetToData + FT_GET_USHORT() * 2;
|
||||||
/* XXX: Undocumented: `*2'! */
|
/* use `>', not `>=' */
|
||||||
|
if ( blend->glyphoffsets[i] > limit )
|
||||||
|
{
|
||||||
|
FT_TRACE2(( "ft_var_load_gvar:"
|
||||||
|
" invalid glyph variation data offset for index %d\n",
|
||||||
|
i ));
|
||||||
|
error = FT_THROW( Invalid_Table );
|
||||||
|
goto Exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
FT_FRAME_EXIT();
|
FT_FRAME_EXIT();
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue