[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 3829fdaae: Avoid overflow in COLR bounds checks.
From: |
Werner Lemberg |
Subject: |
[freetype2] master 3829fdaae: Avoid overflow in COLR bounds checks. |
Date: |
Fri, 4 Aug 2023 14:24:32 -0400 (EDT) |
branch: master
commit 3829fdaae5f12590f93807e9bcb866be131a201a
Author: Ben Wagner <bungeman@chromium.org>
Commit: Ben Wagner <bungeman@chromium.org>
Avoid overflow in COLR bounds checks.
The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may
be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long`
is 32 bits adding 4 to such values will wrap and pass bounds checks but
accessing values at such offsets will be out of bounds.
On the other hand `table_size` has already been tested to be at least
`COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it.
* src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size`
instead of adding 4 to font data offsets in bounds checks
Fixes: https://crbug.com/1469348
---
src/sfnt/ttcolr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 69ccf0ee7..281e7135e 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -229,7 +229,7 @@
base_glyphs_offset_v1 = FT_NEXT_ULONG( p );
- if ( base_glyphs_offset_v1 + 4 >= table_size )
+ if ( base_glyphs_offset_v1 >= table_size - 4 )
goto InvalidTable;
p1 = (FT_Byte*)( table + base_glyphs_offset_v1 );
@@ -249,7 +249,7 @@
if ( layer_offset_v1 )
{
- if ( layer_offset_v1 + 4 >= table_size )
+ if ( layer_offset_v1 >= table_size - 4 )
goto InvalidTable;
p1 = (FT_Byte*)( table + layer_offset_v1 );
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 3829fdaae: Avoid overflow in COLR bounds checks.,
Werner Lemberg <=