minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 4 Releases Wiki Activity

[sfnt] Fix CPAL heap buffer overflow. 

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968

* src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1
offsets.
This commit is contained in:
Werner Lemberg 2018-06-19 20:09:31 +02:00
parent 7915fd51f1
commit a6b77ba2b3
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,3 +1,14 @@
2018-06-19 Werner Lemberg <wl@gnu.org>
[sfnt] Fix CPAL heap buffer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968
* src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1
offsets.
2018-06-19 Werner Lemberg <wl@gnu.org>
Doh. Don't use CPAL or COLR data if tables are missing.

3
src/sfnt/ttcpal.c
View File

@ -128,6 +128,9 @@
FT_UShort* q;
if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
goto InvalidTable;
p += face->palette_data.num_palettes * 2;
type_offset = FT_NEXT_ULONG( p );