[Git][freetype/freetype][master] [woff,woff2] Limit the number of tables and use FT_MSB.

[Alexei Podtelezhnikov (@apodtele)]

Alexei Podtelezhnikov pushed to branch master at FreeType / FreeType

Commits:

• 3f28a6b6
  by Alexei Podtelezhnikov (Алексей Подтележников) at 2024-05-03T15:44:57+00:00

  [woff,woff2] Limit the number of tables and use FT_MSB.
  
  The upper limit of 4095 is implied by the SFNT header format
  where the multiplication by 16 would overflow without it.
  
  * src/sfnt/sfwoff.c (woff_open_font): Updated.
  * src/sfnt/sfwoff2.c (woff2_open_font): Ditto.
  

2 changed files:

• src/sfnt/sfwoff.c
• src/sfnt/sfwoff2.c

Changes:

src/sfnt/sfwoff.c

---

...	...	@@ -18,6 +18,7 @@
18	18
19	19	#include "sfwoff.h"
20	20	#include <freetype/tttags.h>
	21	+#include <freetype/internal/ftcalc.h>
21	22	#include <freetype/internal/ftdebug.h>
22	23	#include <freetype/internal/ftstream.h>
23	24	#include <freetype/ftgzip.h>
...	...	@@ -149,6 +150,7 @@
149	150	/* Miscellaneous checks. */
150	151	if ( woff.length != stream->size ||
151	152	woff.num_tables == 0 ||
	153	+ woff.num_tables > 0xFFFU ||
152	154	44 + woff.num_tables * 20UL >= woff.length ||
153	155	12 + woff.num_tables * 16UL >= woff.totalSfntSize ||
154	156	( woff.totalSfntSize & 3 ) != 0 ||
...	...	@@ -169,21 +171,11 @@
169	171
170	172	/* Write sfnt header. */
171	173	{
172		- FT_UInt searchRange, entrySelector, rangeShift, x;
	174	+ FT_Int entrySelector = FT_MSB( woff.num_tables );
	175	+ FT_Int searchRange = ( 1 << entrySelector ) * 16;
	176	+ FT_Int rangeShift = woff.num_tables * 16 - searchRange;
173	177
174	178
175		- x = woff.num_tables;
176		- entrySelector = 0;
177		- while ( x )
178		- {
179		- x >>= 1;
180		- entrySelector += 1;
181		- }
182		- entrySelector--;
183		-
184		- searchRange = ( 1 << entrySelector ) * 16;
185		- rangeShift = woff.num_tables * 16 - searchRange;
186		-
187	179	WRITE_ULONG ( sfnt_header, woff.flavor );
188	180	WRITE_USHORT( sfnt_header, woff.num_tables );
189	181	WRITE_USHORT( sfnt_header, searchRange );

src/sfnt/sfwoff2.c

---

...	...	@@ -18,6 +18,7 @@
18	18	#include "sfwoff2.h"
19	19	#include "woff2tags.h"
20	20	#include <freetype/tttags.h>
	21	+#include <freetype/internal/ftcalc.h>
21	22	#include <freetype/internal/ftdebug.h>
22	23	#include <freetype/internal/ftstream.h>
23	24
...	...	@@ -1844,6 +1845,7 @@
1844	1845	/* Miscellaneous checks. */
1845	1846	if ( woff2.length != stream->size ||
1846	1847	woff2.num_tables == 0 ||
	1848	+ woff2.num_tables > 0xFFFU ||
1847	1849	48 + woff2.num_tables * 20UL >= woff2.length ||
1848	1850	( woff2.metaOffset == 0 && ( woff2.metaLength != 0 ||
1849	1851	woff2.metaOrigLength != 0 ) ) ||
...	...	@@ -2134,7 +2136,7 @@
2134	2136	WOFF2_TtcFont ttc_font = woff2.ttc_fonts + face_index;
2135	2137
2136	2138
2137		- if ( ttc_font->num_tables == 0 )
	2139	+ if ( ttc_font->num_tables == 0 || ttc_font->num_tables > 0xFFFU )
2138	2140	{
2139	2141	FT_ERROR(( "woff2_open_font: invalid WOFF2 CollectionFontEntry\n" ));
2140	2142	error = FT_THROW( Invalid_Table );
...	...	@@ -2197,23 +2199,14 @@
2197	2199	goto Exit;
2198	2200
2199	2201	{
2200		- FT_UInt searchRange, entrySelector, rangeShift, x;
2201	2202	FT_Byte* sfnt_header = sfnt;
2202	2203
	2204	+ FT_Int entrySelector = FT_MSB( woff.num_tables );
	2205	+ FT_Int searchRange = ( 1 << entrySelector ) * 16;
	2206	+ FT_Int rangeShift = woff.num_tables * 16 - searchRange;
2203	2207
2204		- x = woff2.num_tables;
2205		- entrySelector = 0;
2206		- while ( x )
2207		- {
2208		- x >>= 1;
2209		- entrySelector += 1;
2210		- }
2211		- entrySelector--;
2212		-
2213		- searchRange = ( 1 << entrySelector ) * 16;
2214		- rangeShift = ( woff2.num_tables * 16 ) - searchRange;
2215	2208
2216		- WRITE_ULONG( sfnt_header, woff2.flavor );
	2209	+ WRITE_ULONG ( sfnt_header, woff2.flavor );
2217	2210	WRITE_USHORT( sfnt_header, woff2.num_tables );
2218	2211	WRITE_USHORT( sfnt_header, searchRange );
2219	2212	WRITE_USHORT( sfnt_header, entrySelector );

—
View it on GitLab.
You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help