freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][wl/40716] * src/sfnt/ttcolr.c (tt_face_get_colo

From: Werner Lemberg (@wl)
Subject: [Git][freetype/freetype][wl/40716] * src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Add limit checks.
Date: Mon, 10 Jan 2022 18:30:44 +0000

Werner Lemberg pushed to branch wl/40716 at FreeType / FreeType

Commits:

1 changed file:

Changes:

  • src/sfnt/ttcolr.c
    ... ... @@ -824,7 +824,7 @@
    824 824 
       {
    825 825 
         Colr*  colr;
    826 826
    827 
    -    FT_Byte  *p, *p1, *clip_base;
    827 
    +    FT_Byte  *p, *p1, *clip_base, *limit;
    828 828
    829 829 
         FT_Byte    clip_list_format;
    830 830 
         FT_ULong   num_clip_boxes, i;
    ... ... @@ -847,16 +847,28 @@
    847 847
    848 848 
         p = colr->clip_list;
    849 849
    850 
    +    limit = (FT_Byte*)colr->table + colr->table_size;
    851 
    +
    852 
    +    /* Check whether we can extract one `uint8` and one `uint32`. */
    853 
    +    if ( p >= limit - ( 1 + 4 ) )
    854 
    +      return 0;
    855 
    +
    850 856 
         clip_base        = p;
    851 857 
         clip_list_format = FT_NEXT_BYTE ( p );
    852 858
    853 859 
         /* Format byte used here to be able to upgrade ClipList for >16bit */
    854 
    -    /* glyph ids; for now we can expect it to be 0. */
    860 
    +    /* glyph ids; for now we can expect it to be 0.                    */
    855 861 
         if ( !( clip_list_format == 1 ) )
    856 862 
           return 0;
    857 863
    858 864 
         num_clip_boxes = FT_NEXT_ULONG( p );
    859 865
    866 
    +    /* Check whether we can extract two `uint16` and one `Offset24`, */
    867 
    +    /* `num_clip_boxes` times.                                       */
    868 
    +    if ( colr->table_size / ( 2 + 2 + 3 ) < num_clip_boxes ||
    869 
    +         p >= limit - ( 2 + 2 + 3 ) * num_clip_boxes       )
    870 
    +      return 0;
    871 
    +
    860 872 
         for ( i = 0; i < num_clip_boxes; ++i )
    861 873 
         {
    862 874 
           gid_start       = FT_NEXT_USHORT( p );
    ... ... @@ -867,7 +879,8 @@
    867 879 
           {
    868 880 
             p1 = (FT_Byte*)( clip_base + clip_box_offset );
    869 881
    870 
    -        if ( p1 >= ( (FT_Byte*)colr->table + colr->table_size ) )
    882 
    +        /* Check whether we can extract one `uint8`. */
    883 
    +        if ( p1 >= limit - 1 )
    871 884 
               return 0;
    872 885
    873 886 
             format = FT_NEXT_BYTE( p1 );
    ... ... @@ -875,6 +888,10 @@
    875 888 
             if ( format > 1 )
    876 889 
               return 0;
    877 890
    891 
    +        /* Check whether we can extract four `FWORD`. */
    892 
    +        if ( p1 >= limit - ( 2 + 2 + 2 + 2 ) )
    893 
    +          return 0;
    894 
    +
    878 895 
             /* `face->root.size->metrics.x_scale` and `y_scale` are factors   */
    879 896 
             /* that scale a font unit value in integers to a 26.6 fixed value */
    880 897 
             /* according to the requested size, see for example               */


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. If you'd like to receive fewer emails, you can adjust your notification settings.

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]