[sfnt] Fix cmap 14 validation (#46346).

* src/sfnt/ttcmap.c (tt_cmap14_validate): Check limit before
accessing `numRanges' and `numMappings'.
Fix size check for non-default UVS table.
This commit is contained in:
Werner Lemberg 2015-10-31 18:47:26 +01:00
parent 009cc15035
commit 57cbb8c148
2 changed files with 26 additions and 8 deletions

View File

@ -1,3 +1,11 @@
2015-10-31 Werner Lemberg <wl@gnu.org>
[sfnt] Fix cmap 14 validation (#46346).
* src/sfnt/ttcmap.c (tt_cmap14_validate): Check limit before
accessing `numRanges' and `numMappings'.
Fix size check for non-default UVS table.
2015-10-31 Werner Lemberg <wl@gnu.org>
[sfnt] Handle infinite recursion in bitmap strikes (#46344).

View File

@ -2968,12 +2968,17 @@
/* through the normal Unicode cmap, no GIDs, just check order) */
if ( defOff != 0 )
{
FT_Byte* defp = table + defOff;
FT_ULong numRanges = TT_NEXT_ULONG( defp );
FT_Byte* defp = table + defOff;
FT_ULong numRanges;
FT_ULong i;
FT_ULong lastBase = 0;
FT_ULong lastBase = 0;
if ( defp + 4 > valid->limit )
FT_INVALID_TOO_SHORT;
numRanges = TT_NEXT_ULONG( defp );
/* defp + numRanges * 4 > valid->limit ? */
if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
FT_INVALID_TOO_SHORT;
@ -2997,13 +3002,18 @@
/* and the non-default table (these glyphs are specified here) */
if ( nondefOff != 0 )
{
FT_Byte* ndp = table + nondefOff;
FT_ULong numMappings = TT_NEXT_ULONG( ndp );
FT_ULong i, lastUni = 0;
FT_Byte* ndp = table + nondefOff;
FT_ULong numMappings;
FT_ULong i, lastUni = 0;
/* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
if ( ndp + 4 > valid->limit )
FT_INVALID_TOO_SHORT;
numMappings = TT_NEXT_ULONG( ndp );
/* numMappings * 5 > (FT_ULong)( valid->limit - ndp ) ? */
if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 5 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )