minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 9 Releases Wiki Activity

Avoid overflow in COLR bounds checks. 

The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may
be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long`
is 32 bits adding 4 to such values will wrap and pass bounds checks but
accessing values at such offsets will be out of bounds.

On the other hand `table_size` has already been tested to be at least
`COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it.

* src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size`
instead of adding 4 to font data offsets in bounds checks

Fixes: https://crbug.com/1469348
This commit is contained in:
Ben Wagner 2023-08-04 11:41:23 -04:00
parent 95a872085e
commit 3829fdaae5
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/sfnt/ttcolr.c
View File

@ -229,7 +229,7 @@
base_glyphs_offset_v1 = FT_NEXT_ULONG( p );
if ( base_glyphs_offset_v1 + 4 >= table_size )
if ( base_glyphs_offset_v1 >= table_size - 4 )
goto InvalidTable;
p1 = (FT_Byte*)( table + base_glyphs_offset_v1 );
@ -249,7 +249,7 @@
if ( layer_offset_v1 )
{
if ( layer_offset_v1 + 4 >= table_size )
if ( layer_offset_v1 >= table_size - 4 )
goto InvalidTable;
p1 = (FT_Byte*)( table + layer_offset_v1 );