[sfnt] Pointer validity check when reading COLR 'v1' layers
* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the existing sanity checks, ensure that the pointer to the layer to be read is within the 'COLR' v1 table.
This commit is contained in:
parent
41fa19fcea
commit
ee6d03d369
|
@ -1,3 +1,11 @@
|
||||||
|
2021-06-08 Dominik Röttsches <drott@chromium.org>
|
||||||
|
|
||||||
|
[sfnt] Pointer validity check when reading COLR 'v1' layers
|
||||||
|
|
||||||
|
* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
|
||||||
|
existing sanity checks, ensure that the pointer to the layer to be
|
||||||
|
read is within the 'COLR' v1 table.
|
||||||
|
|
||||||
2021-06-08 Werner Lemberg <wl@gnu.org>
|
2021-06-08 Werner Lemberg <wl@gnu.org>
|
||||||
|
|
||||||
* src/sdf/ftsdfcommon.c: Fix inclusion of header files.
|
* src/sdf/ftsdfcommon.c: Fix inclusion of header files.
|
||||||
|
|
|
@ -701,6 +701,13 @@
|
||||||
*/
|
*/
|
||||||
p = iterator->p;
|
p = iterator->p;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* First ensure that p is within COLRv1.
|
||||||
|
*/
|
||||||
|
if ( p < colr->base_glyphs_v1 ||
|
||||||
|
p >= ( (FT_Byte*)colr->table + colr->table_size ) )
|
||||||
|
return 0;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Do a cursor sanity check of the iterator. Counting backwards from
|
* Do a cursor sanity check of the iterator. Counting backwards from
|
||||||
* where it stands, we need to end up at a position after the beginning
|
* where it stands, we need to end up at a position after the beginning
|
||||||
|
|
Loading…
Reference in New Issue