rgraves
/
freetype2
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[sfnt] Pointer validity check when reading COLR 'v1' layers 

* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
existing sanity checks, ensure that the pointer to the layer to be
read is within the 'COLR' v1 table.
This commit is contained in:
Dominik Röttsches 2021-06-08 14:29:11 +03:00
parent 41fa19fcea
commit ee6d03d369
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -1,3 +1,11 @@
2021-06-08 Dominik Röttsches <drott@chromium.org>
[sfnt] Pointer validity check when reading COLR 'v1' layers
* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
existing sanity checks, ensure that the pointer to the layer to be
read is within the 'COLR' v1 table.
2021-06-08 Werner Lemberg <wl@gnu.org>
* src/sdf/ftsdfcommon.c: Fix inclusion of header files.

7
src/sfnt/ttcolr.c
View File

@ -701,6 +701,13 @@
*/
p = iterator->p;
/*
* First ensure that p is within COLRv1.
*/
if ( p < colr->base_glyphs_v1 ||
p >= ( (FT_Byte*)colr->table + colr->table_size ) )
return 0;
/*
* Do a cursor sanity check of the iterator. Counting backwards from
* where it stands, we need to end up at a position after the beginning