Ben Wagner pushed to branch master at FreeType / FreeType
Commits:
-
336503df
by Werner Lemberg at 2023-07-16T07:40:32+02:00
1 changed file:
Changes:
... | ... | @@ -36,6 +36,8 @@ |
36 | 36 | #undef FT_COMPONENT
|
37 | 37 | #define FT_COMPONENT sfwoff2
|
38 | 38 | |
39 | + /* An arbitrary, heuristic size limit (67MByte) for expanded WOFF2 data. */
|
|
40 | +#define MAX_SFNT_SIZE ( 1 << 26 )
|
|
39 | 41 | |
40 | 42 | #define READ_255USHORT( var ) FT_SET_ERROR( Read255UShort( stream, &var ) )
|
41 | 43 | |
... | ... | @@ -2180,9 +2182,8 @@ |
2180 | 2182 | else
|
2181 | 2183 | sfnt_size = woff2.totalSfntSize;
|
2182 | 2184 | |
2183 | - /* Value 1<<26 = 67108864 is heuristic. */
|
|
2184 | - if (sfnt_size >= (1 << 26))
|
|
2185 | - sfnt_size = 1 << 26;
|
|
2185 | + if ( sfnt_size >= MAX_SFNT_SIZE )
|
|
2186 | + sfnt_size = MAX_SFNT_SIZE;
|
|
2186 | 2187 | |
2187 | 2188 | #ifdef FT_DEBUG_LEVEL_TRACE
|
2188 | 2189 | if ( sfnt_size != woff2.totalSfntSize )
|
... | ... | @@ -2257,6 +2258,17 @@ |
2257 | 2258 | goto Exit;
|
2258 | 2259 | }
|
2259 | 2260 | |
2261 | + /* We must not blindly trust `uncompressed_size` since its */
|
|
2262 | + /* value might be corrupted. If it is too large, reject the */
|
|
2263 | + /* font. In other words, we don't accept a WOFF2 font that */
|
|
2264 | + /* expands to something larger than MAX_SFNT_SIZE. If ever */
|
|
2265 | + /* necessary, this limit can be easily adjusted. */
|
|
2266 | + if ( woff2.uncompressed_size > MAX_SFNT_SIZE )
|
|
2267 | + {
|
|
2268 | + FT_ERROR(( "Uncompressed font too large.\n" ));
|
|
2269 | + return FT_THROW( Array_Too_Large );
|
|
2270 | + }
|
|
2271 | + |
|
2260 | 2272 | /* Allocate memory for uncompressed table data. */
|
2261 | 2273 | if ( FT_QALLOC( uncompressed_buf, woff2.uncompressed_size ) ||
|
2262 | 2274 | FT_FRAME_ENTER( woff2.totalCompressedSize ) )
|