From 3829fdaae5f12590f93807e9bcb866be131a201a Mon Sep 17 00:00:00 2001 From: Ben Wagner Date: Fri, 4 Aug 2023 11:41:23 -0400 Subject: [PATCH] Avoid overflow in COLR bounds checks. The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long` is 32 bits adding 4 to such values will wrap and pass bounds checks but accessing values at such offsets will be out of bounds. On the other hand `table_size` has already been tested to be at least `COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it. * src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size` instead of adding 4 to font data offsets in bounds checks Fixes: https://crbug.com/1469348 --- src/sfnt/ttcolr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 69ccf0ee7..281e7135e 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -229,7 +229,7 @@ base_glyphs_offset_v1 = FT_NEXT_ULONG( p ); - if ( base_glyphs_offset_v1 + 4 >= table_size ) + if ( base_glyphs_offset_v1 >= table_size - 4 ) goto InvalidTable; p1 = (FT_Byte*)( table + base_glyphs_offset_v1 ); @@ -249,7 +249,7 @@ if ( layer_offset_v1 ) { - if ( layer_offset_v1 + 4 >= table_size ) + if ( layer_offset_v1 >= table_size - 4 ) goto InvalidTable; p1 = (FT_Byte*)( table + layer_offset_v1 );