[sfnt] Fix color glyph layer loading.
* src/sfnt/ttcolr.c (Colr): Add `table_size' field. (tt_face_load_colr): Set it. (tt_face_get_colr_layer): Check pointer limit for layer entries.
This commit is contained in:
parent
1079063701
commit
9960e7beab
|
@ -1,3 +1,11 @@
|
|||
2018-06-16 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[sfnt] Fix color glyph layer loading.
|
||||
|
||||
* src/sfnt/ttcolr.c (Colr): Add `table_size' field.
|
||||
(tt_face_load_colr): Set it.
|
||||
(tt_face_get_colr_layer): Check pointer limit for layer entries.
|
||||
|
||||
2018-06-16 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[sfnt] Fix color palette loading.
|
||||
|
|
|
@ -64,7 +64,8 @@
|
|||
FT_Byte* layers;
|
||||
|
||||
/* The memory which backs up the `COLR' table. */
|
||||
void* table;
|
||||
void* table;
|
||||
FT_ULong table_size;
|
||||
|
||||
} Colr;
|
||||
|
||||
|
@ -138,6 +139,7 @@
|
|||
colr->base_glyphs = (FT_Byte*)( table + base_glyph_offset );
|
||||
colr->layers = (FT_Byte*)( table + layer_offset );
|
||||
colr->table = table;
|
||||
colr->table_size = table_size;
|
||||
|
||||
face->colr = colr;
|
||||
|
||||
|
@ -220,6 +222,9 @@
|
|||
|
||||
if ( !iterator->p )
|
||||
{
|
||||
FT_ULong offset;
|
||||
|
||||
|
||||
/* first call to function */
|
||||
iterator->layer = 0;
|
||||
|
||||
|
@ -229,13 +234,16 @@
|
|||
&glyph_record ) )
|
||||
return 0;
|
||||
|
||||
iterator->p = colr->layers +
|
||||
LAYER_SIZE * glyph_record.first_layer_index;
|
||||
|
||||
if ( glyph_record.num_layers )
|
||||
iterator->num_layers = glyph_record.num_layers;
|
||||
else
|
||||
return 0;
|
||||
|
||||
offset = LAYER_SIZE * glyph_record.first_layer_index;
|
||||
if ( offset + LAYER_SIZE * glyph_record.num_layers > colr->table_size )
|
||||
return 0;
|
||||
|
||||
iterator->p = colr->layers + offset;
|
||||
}
|
||||
|
||||
if ( iterator->layer >= iterator->num_layers )
|
||||
|
|
Loading…
Reference in New Issue