[sfnt] Fix cmap 14 validation (#46346).
* src/sfnt/ttcmap.c (tt_cmap14_validate): Check limit before accessing `numRanges' and `numMappings'. Fix size check for non-default UVS table.
This commit is contained in:
parent
009cc15035
commit
57cbb8c148
|
@ -1,3 +1,11 @@
|
||||||
|
2015-10-31 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
|
[sfnt] Fix cmap 14 validation (#46346).
|
||||||
|
|
||||||
|
* src/sfnt/ttcmap.c (tt_cmap14_validate): Check limit before
|
||||||
|
accessing `numRanges' and `numMappings'.
|
||||||
|
Fix size check for non-default UVS table.
|
||||||
|
|
||||||
2015-10-31 Werner Lemberg <wl@gnu.org>
|
2015-10-31 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
[sfnt] Handle infinite recursion in bitmap strikes (#46344).
|
[sfnt] Handle infinite recursion in bitmap strikes (#46344).
|
||||||
|
|
|
@ -2969,11 +2969,16 @@
|
||||||
if ( defOff != 0 )
|
if ( defOff != 0 )
|
||||||
{
|
{
|
||||||
FT_Byte* defp = table + defOff;
|
FT_Byte* defp = table + defOff;
|
||||||
FT_ULong numRanges = TT_NEXT_ULONG( defp );
|
FT_ULong numRanges;
|
||||||
FT_ULong i;
|
FT_ULong i;
|
||||||
FT_ULong lastBase = 0;
|
FT_ULong lastBase = 0;
|
||||||
|
|
||||||
|
|
||||||
|
if ( defp + 4 > valid->limit )
|
||||||
|
FT_INVALID_TOO_SHORT;
|
||||||
|
|
||||||
|
numRanges = TT_NEXT_ULONG( defp );
|
||||||
|
|
||||||
/* defp + numRanges * 4 > valid->limit ? */
|
/* defp + numRanges * 4 > valid->limit ? */
|
||||||
if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
|
if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
|
||||||
FT_INVALID_TOO_SHORT;
|
FT_INVALID_TOO_SHORT;
|
||||||
|
@ -2998,12 +3003,17 @@
|
||||||
if ( nondefOff != 0 )
|
if ( nondefOff != 0 )
|
||||||
{
|
{
|
||||||
FT_Byte* ndp = table + nondefOff;
|
FT_Byte* ndp = table + nondefOff;
|
||||||
FT_ULong numMappings = TT_NEXT_ULONG( ndp );
|
FT_ULong numMappings;
|
||||||
FT_ULong i, lastUni = 0;
|
FT_ULong i, lastUni = 0;
|
||||||
|
|
||||||
|
|
||||||
/* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
|
if ( ndp + 4 > valid->limit )
|
||||||
if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
|
FT_INVALID_TOO_SHORT;
|
||||||
|
|
||||||
|
numMappings = TT_NEXT_ULONG( ndp );
|
||||||
|
|
||||||
|
/* numMappings * 5 > (FT_ULong)( valid->limit - ndp ) ? */
|
||||||
|
if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 5 )
|
||||||
FT_INVALID_TOO_SHORT;
|
FT_INVALID_TOO_SHORT;
|
||||||
|
|
||||||
for ( i = 0; i < numMappings; ++i )
|
for ( i = 0; i < numMappings; ++i )
|
||||||
|
|
Loading…
Reference in New Issue