Werner Lemberg pushed to branch master at FreeType / FreeType
Commits:
-
b24cfc8d
by Werner Lemberg at 2021-06-08T15:26:41+02:00
2 changed files:
Changes:
1 |
+2021-06-08 Werner Lemberg <wl@gnu.org>
|
|
2 |
+ |
|
3 |
+ [sfnt] Sanitize cmap4 table better.
|
|
4 |
+ |
|
5 |
+ Fixes #1062.
|
|
6 |
+ |
|
7 |
+ * src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of
|
|
8 |
+ `length` gracefully.
|
|
9 |
+ |
|
1 | 10 |
2021-06-08 Dominik Röttsches <drott@chromium.org>
|
2 | 11 |
|
3 | 12 |
[sfnt] Pointer validity check when reading COLR 'v1' layers
|
... | ... | @@ -916,6 +916,16 @@ |
916 | 916 |
length = (FT_UInt)( valid->limit - table );
|
917 | 917 |
}
|
918 | 918 |
|
919 |
+ /* it also happens that the `length' field is too small; */
|
|
920 |
+ /* this is easy to correct */
|
|
921 |
+ if ( length < (FT_UInt)( valid->limit - table ) )
|
|
922 |
+ {
|
|
923 |
+ if ( valid->level >= FT_VALIDATE_PARANOID )
|
|
924 |
+ FT_INVALID_DATA;
|
|
925 |
+ |
|
926 |
+ length = (FT_UInt)( valid->limit - table );
|
|
927 |
+ }
|
|
928 |
+ |
|
919 | 929 |
if ( length < 16 )
|
920 | 930 |
FT_INVALID_TOO_SHORT;
|
921 | 931 |
|