[Git][freetype/freetype][master] [sfnt] Improve paint limit checks

[Werner Lemberg (@wl)]

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

• 7d4e55c3
  by Dominik Röttsches at 2021-06-28T18:02:55+02:00

  [sfnt] Improve paint limit checks
  
  Paint tables can appear before the `base_glyphs_v1` offset if the
  font is produced with the layer list before the base glyph list.  In
  this case paint tables can occur after the layer list but before the
  base glyph list.  Checks in the 'COLR' v1 code were rejecting fonts
  with this layout.  Improve these checks by calculating a minimum
  offset after which paint tables can occur and use that in safety
  checks.
  
  * src/sfnt/ttcolr.c (Colr, tt_face_load_colr): Declare
  `paint_start_v1` and calculate that as the minimum of the end of
  layer list and base glyph list.
  (get_child_table_pointer, read_paint, tt_face_get_paint_layers):
  Use that in safety checks.
  

2 changed files:

• ChangeLog
• src/sfnt/ttcolr.c

Changes:

ChangeLog

---

	1	+2021-06-28 Dominik Röttsches <drott@chromium.org>
	2	+
	3	+ [sfnt] Improve paint limit checks
	4	+
	5	+ Paint tables can appear before the `base_glyphs_v1` offset if the
	6	+ font is produced with the layer list before the base glyph list. In
	7	+ this case paint tables can occur after the layer list but before the
	8	+ base glyph list. Checks in the 'COLR' v1 code were rejecting fonts
	9	+ with this layout. Improve these checks by calculating a minimum
	10	+ offset after which paint tables can occur and use that in safety
	11	+ checks.
	12	+
	13	+ * src/sfnt/ttcolr.c (Colr, tt_face_load_colr): Declare
	14	+ `paint_start_v1` and calculate that as the minimum of the end of
	15	+ layer list and base glyph list.
	16	+ (get_child_table_pointer, read_paint, tt_face_get_paint_layers):
	17	+ Use that in safety checks.
	18	+
1	19	2021-06-28 Alexei Podtelezhnikov <apodtele@gmail.com>
2	20
3	21	[raster] Clean up vertical sweep.
...	...	@@ -202,7 +220,7 @@
202	220
203	221	2021-06-09 Alexei Podtelezhnikov <apodtele@gmail.com>
204	222
205		- * src/truetype/ttinterp.c (TT_RunIns): Optimize tracing.
	223	+ * src/truetype/ttinterp.c (TT_RunIns): Optimize tracing.
206	224
207	225	2021-06-09 Alexei Podtelezhnikov <apodtele@gmail.com>
208	226

src/sfnt/ttcolr.c

---

...	...	@@ -41,7 +41,7 @@
41	41
42	42	/* NOTE: These are the table sizes calculated through the specs. */
43	43	#define BASE_GLYPH_SIZE 6U
44		-#define BASE_GLYPH_V1_RECORD_SIZE 6U
	44	+#define BASE_GLYPH_PAINT_RECORD_SIZE 6U
45	45	#define LAYER_V1_LIST_PAINT_OFFSET_SIZE 4U
46	46	#define LAYER_V1_LIST_NUM_LAYERS_SIZE 4U
47	47	#define COLOR_STOP_SIZE 6U
...	...	@@ -83,6 +83,13 @@
83	83	FT_ULong num_layers_v1;
84	84	FT_Byte* layers_v1;
85	85
	86	+ /*
	87	+ * Paint tables start at the minimum of the end of the LayerList and the
	88	+ * end of the BaseGlyphList. Record this location in a field here for
	89	+ * safety checks when accessing paint tables.
	90	+ */
	91	+ FT_Byte* paints_start_v1;
	92	+
86	93	/* The memory that backs up the `COLR' table. */
87	94	void* table;
88	95	FT_ULong table_size;
...	...	@@ -170,7 +177,7 @@
170	177	p1 = (FT_Byte*)( table + base_glyphs_offset_v1 );
171	178	num_base_glyphs_v1 = FT_PEEK_ULONG( p1 );
172	179
173		- if ( num_base_glyphs_v1 * BASE_GLYPH_V1_RECORD_SIZE >
	180	+ if ( num_base_glyphs_v1 * BASE_GLYPH_PAINT_RECORD_SIZE >
174	181	table_size - base_glyphs_offset_v1 )
175	182	goto InvalidTable;
176	183
...	...	@@ -185,8 +192,18 @@
185	192	p1 = (FT_Byte*)( table + layer_offset_v1 );
186	193	num_layers_v1 = FT_PEEK_ULONG( p1 );
187	194
	195	+ if ( num_layers_v1 * LAYER_V1_LIST_PAINT_OFFSET_SIZE >
	196	+ table_size - layer_offset_v1 )
	197	+ goto InvalidTable;
	198	+
188	199	colr->num_layers_v1 = num_layers_v1;
189	200	colr->layers_v1 = p1;
	201	+
	202	+ colr->paints_start_v1 =
	203	+ FT_MIN( colr->base_glyphs_v1 +
	204	+ colr->num_base_glyphs_v1 * BASE_GLYPH_PAINT_RECORD_SIZE,
	205	+ colr->layers_v1 +
	206	+ colr->num_layers_v1 * LAYER_V1_LIST_PAINT_OFFSET_SIZE );
190	207	}
191	208
192	209	colr->base_glyphs = (FT_Byte*)( table + base_glyph_offset );
...	...	@@ -367,7 +384,7 @@
367	384
368	385	child_table_p = (FT_Byte*)( paint_base + paint_offset );
369	386
370		- if ( child_table_p < colr->base_glyphs_v1 ||
	387	+ if ( child_table_p < colr->paints_start_v1 ||
371	388	child_table_p >= ( (FT_Byte*)colr->table + colr->table_size ) )
372	389	return 0;
373	390
...	...	@@ -388,7 +405,7 @@
388	405	if ( !p || !colr || !colr->table )
389	406	return 0;
390	407
391		- if ( p < colr->base_glyphs_v1 ||
	408	+ if ( p < colr->paints_start_v1 ||
392	409	p >= ( (FT_Byte*)colr->table + colr->table_size ) )
393	410	return 0;
394	411
...	...	@@ -608,7 +625,7 @@
608	625	* skip `numBaseGlyphV1Records` by adding 4 to start binary search
609	626	* in the array of `BaseGlyphV1Record`.
610	627	*/
611		- FT_Byte *p = base_glyph_begin + 4 + mid * BASE_GLYPH_V1_RECORD_SIZE;
	628	+ FT_Byte *p = base_glyph_begin + 4 + mid * BASE_GLYPH_PAINT_RECORD_SIZE;
612	629
613	630	FT_UShort gid = FT_NEXT_USHORT( p );
614	631
...	...	@@ -704,7 +721,7 @@
704	721	/*
705	722	* First ensure that p is within COLRv1.
706	723	*/
707		- if ( p < colr->base_glyphs_v1 ||
	724	+ if ( p < colr->layers_v1 ||
708	725	p >= ( (FT_Byte*)colr->table + colr->table_size ) )
709	726	return 0;
710	727
...	...	@@ -731,7 +748,7 @@
731	748
732	749	p_paint = (FT_Byte*)( colr->layers_v1 + paint_offset );
733	750
734		- if ( p_paint < colr->base_glyphs_v1 ||
	751	+ if ( p_paint < colr->paints_start_v1 ||
735	752	p_paint >= ( (FT_Byte*)colr->table + colr->table_size ) )
736	753	return 0;
737	754

—
View it on GitLab.
You're receiving this email because of your account on gitlab.freedesktop.org. If you'd like to receive fewer emails, you can adjust your notification settings.