[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master b24cfc8: [sfnt] Sanitize cmap4 table better.
From: |
Werner Lemberg |
Subject: |
[freetype2] master b24cfc8: [sfnt] Sanitize cmap4 table better. |
Date: |
Tue, 8 Jun 2021 09:27:37 -0400 (EDT) |
branch: master
commit b24cfc8dcc8991f464782f91922c2772f393184d
Author: Werner Lemberg <wl@gnu.org>
Commit: Werner Lemberg <wl@gnu.org>
[sfnt] Sanitize cmap4 table better.
Fixes #1062.
* src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of
`length` gracefully.
---
ChangeLog | 9 +++++++++
src/sfnt/ttcmap.c | 10 ++++++++++
2 files changed, 19 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 1c61793..3b64ee7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2021-06-08 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Sanitize cmap4 table better.
+
+ Fixes #1062.
+
+ * src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of
+ `length` gracefully.
+
2021-06-08 Dominik Röttsches <drott@chromium.org>
[sfnt] Pointer validity check when reading COLR 'v1' layers
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 45d9f92..b369d83 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -916,6 +916,16 @@
length = (FT_UInt)( valid->limit - table );
}
+ /* it also happens that the `length' field is too small; */
+ /* this is easy to correct */
+ if ( length < (FT_UInt)( valid->limit - table ) )
+ {
+ if ( valid->level >= FT_VALIDATE_PARANOID )
+ FT_INVALID_DATA;
+
+ length = (FT_UInt)( valid->limit - table );
+ }
+
if ( length < 16 )
FT_INVALID_TOO_SHORT;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master b24cfc8: [sfnt] Sanitize cmap4 table better.,
Werner Lemberg <=