|
From: | Behdad Esfahbod |
Subject: | Re: [ft-devel] [freetype2] GSoC-2019-moazin 8887048: Performs basic to see if SVG data is valid or not. |
Date: | Mon, 29 Jul 2019 13:06:24 -0700 |
I see similar checks in `ttcpal.c' and many other places.Invalid data is checked for and rejected, so decided to dothe same._______________________________________________On Tue, Jul 30, 2019 at 12:59 AM Behdad Esfahbod <address@hidden> wrote:Why?On Mon, Jul 29, 2019 at 12:41 PM Moazin Khatti <address@hidden> wrote:branch: GSoC-2019-moazin
commit 8887048557db93857ffa6169cfe4c3190f9cb1a1
Author: Moazin Khatti <address@hidden>
Commit: Moazin Khatti <address@hidden>
Performs basic to see if SVG data is valid or not.
---
src/sfnt/ttsvg.c | 38 ++++++++++++++++++++++++++++++++++++--
1 file changed, 36 insertions(+), 2 deletions(-)
diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c
index f4a85ca..223eb88 100644
--- a/src/sfnt/ttsvg.c
+++ b/src/sfnt/ttsvg.c
@@ -35,6 +35,24 @@
#include "ttsvg.h"
+/* SVG table looks like:
+ * --------------------------------------
+ * Bytes: Field |
+ * --------------------------------------
+ * 2 version
+ * 4 offsetToSVGDocumentList
+ * 4 reserved
+ * 2 numEntries (non-zero)
+ * 12*numEntries documentList
+ *
+ * Since numEntries must be at least one, minimum
+ * size of SVG table is 24. Everything apart from
+ * the documentList makes 12 bytes.
+ */
+
+#define SVG_HEADER_BASE_SIZE 12
+#define SVG_HEADER_MIN_SIZE 24
+
/* TODO: (OT-SVG) Decide whether to add documentation here or not */
typedef struct Svg_
@@ -69,6 +87,9 @@
if( error )
goto NoSVG;
+ if ( table_size < SVG_HEADER_MIN_SIZE )
+ goto InvalidTable;
+
if( FT_FRAME_EXTRACT( table_size, table ))
goto NoSVG;
@@ -77,7 +98,14 @@
goto NoSVG;
p = table;
- svg->version = FT_NEXT_USHORT( p );
+ svg->version = FT_NEXT_USHORT( p );
+
+ /* At the time of writing this, only version 0 exists,
+ * and only that is supported by FreeType
+ */
+ if ( svg->version != 0 )
+ goto InvalidTable;
+
offsetToSVGDocumentList = FT_NEXT_ULONG( p );
if( offsetToSVGDocumentList == 0 )
@@ -88,6 +116,9 @@
p = svg->svg_doc_list;
svg->num_entries = FT_NEXT_USHORT( p );
+ if ( ( svg->num_entries*12 + SVG_HEADER_BASE_SIZE ) > table_size )
+ goto InvalidTable;
+
FT_TRACE3(( "version: %d\n", svg->version ));
FT_TRACE3(( "num entiries: %d\n", svg->num_entries ));
@@ -244,7 +275,10 @@
*doc_length = mid_doc.length;
*start_glyph = mid_doc.start_glyph_id;
*end_glyph = mid_doc.end_glyph_id;
- error = FT_Err_Ok;
+ if ( *doc_length == 0 )
+ error = FT_THROW( Invalid_SVG_Document );
+ else
+ error = FT_Err_Ok;
}
return error;
}
--behdad
http://behdad.org/
Freetype-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/freetype-devel
[Prev in Thread] | Current Thread | [Next in Thread] |