rgraves
/
freetype2
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* src/sfnt/ttcolr.c (tt_face_load_colr): Improve overflow checks.

This commit is contained in:
Werner Lemberg 2018-06-10 06:59:39 +02:00
parent 50fda0be3f
commit 56be5f721b
2 changed files with 23 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,3 +1,7 @@
2018-06-10 Werner Lemberg <wl@gnu.org>
* src/sfnt/ttcolr.c (tt_face_load_colr): Improve overflow checks.
2018-06-09 Alexei Podtelezhnikov <apodtele@gmail.com> 2018-06-09 Alexei Podtelezhnikov <apodtele@gmail.com>
[raster] Deal with pitch sign earlier. [raster] Deal with pitch sign earlier.

43
src/sfnt/ttcolr.c
View File

@ -120,8 +120,7 @@
Cpal cpal; Cpal cpal;
ColrCpal* cc = NULL; ColrCpal* cc = NULL;
FT_ULong base_glyph_begin, base_glyph_end, layer_begin, layer_end; FT_ULong base_glyph_offset, layer_offset, colors_offset;
FT_ULong colors_offset;
FT_ULong table_size; FT_ULong table_size;
@ -133,7 +132,7 @@
if ( error ) if ( error )
goto NoColor; goto NoColor;
if ( table_size < sizeof ( COLR_HEADER_SIZE ) ) if ( table_size < COLR_HEADER_SIZE )
goto InvalidTable; goto InvalidTable;
if ( FT_FRAME_EXTRACT( table_size, colr_table ) ) if ( FT_FRAME_EXTRACT( table_size, colr_table ) )
@ -142,33 +141,29 @@
p = colr_table; p = colr_table;
FT_ZERO( &colr ); FT_ZERO( &colr );
colr.version = FT_NEXT_USHORT( p ); colr.version = FT_NEXT_USHORT( p );
colr.num_base_glyphs = FT_NEXT_USHORT( p );
base_glyph_begin = FT_NEXT_ULONG( p );
layer_begin = FT_NEXT_ULONG( p );
colr.num_layers = FT_NEXT_USHORT( p );
colr.base_glyphs = (FT_Byte*)( colr_table + base_glyph_begin );
colr.layers = (FT_Byte*)( colr_table + layer_begin );
if ( colr.version != 0 ) if ( colr.version != 0 )
goto InvalidTable; goto InvalidTable;
/* Ensure variable length tables lies within the COLR table. */ colr.num_base_glyphs = FT_NEXT_USHORT( p );
/* We wrap around FT_ULong at most once since count is FT_UShort. */ base_glyph_offset = FT_NEXT_ULONG( p );
base_glyph_end = base_glyph_begin + if ( base_glyph_offset >= table_size )
colr.num_base_glyphs * BASE_GLYPH_SIZE; goto InvalidTable;
layer_end = layer_begin + if ( colr.num_base_glyphs * BASE_GLYPH_SIZE >
colr.num_layers * LAYER_SIZE; table_size - base_glyph_offset )
if ( base_glyph_end < base_glyph_begin || base_glyph_end > table_size ||
layer_end < layer_begin || layer_end > table_size )
goto InvalidTable; goto InvalidTable;
/* Ensure pointers don't wrap. */ layer_offset = FT_NEXT_ULONG( p );
if ( colr.base_glyphs < colr_table || colr.layers < colr_table ) colr.num_layers = FT_NEXT_USHORT( p );
if ( layer_offset >= table_size )
goto InvalidTable; goto InvalidTable;
if ( colr.num_layers * LAYER_SIZE > table_size - layer_offset )
goto InvalidTable;
colr.base_glyphs = (FT_Byte*)( colr_table + base_glyph_offset );
colr.layers = (FT_Byte*)( colr_table + layer_offset );
/* /*
* CPAL * CPAL
@ -203,7 +198,7 @@
goto InvalidTable; goto InvalidTable;
cpal.color_indices = p; cpal.color_indices = p;
cpal.colors = (FT_Byte*)cpal_table + colors_offset; cpal.colors = (FT_Byte*)( cpal_table + colors_offset );
if ( cpal.version == 1 ) if ( cpal.version == 1 )
{ {