[freetype2] master 9960e7b: [sfnt] Fix color glyph layer loading.

freetype-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master 9960e7b: [sfnt] Fix color glyph layer loading.

From:	Werner LEMBERG
Subject:	[freetype2] master 9960e7b: [sfnt] Fix color glyph layer loading.
Date:	Sat, 16 Jun 2018 16:16:21 -0400 (EDT)

branch: master
commit 9960e7beabe3fa962fe5a3a020dfd97b40e93f10
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    [sfnt] Fix color glyph layer loading.
    
    * src/sfnt/ttcolr.c (Colr): Add `table_size' field.
    (tt_face_load_colr): Set it.
    (tt_face_get_colr_layer): Check pointer limit for layer entries.
---
 ChangeLog         |  8 ++++++++
 src/sfnt/ttcolr.c | 16 ++++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3f53703..6ac9ead 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2018-06-16  Werner Lemberg  <address@hidden>
 
+       [sfnt] Fix color glyph layer loading.
+
+       * src/sfnt/ttcolr.c (Colr): Add `table_size' field.
+       (tt_face_load_colr): Set it.
+       (tt_face_get_colr_layer): Check pointer limit for layer entries.
+
+2018-06-16  Werner Lemberg  <address@hidden>
+
        [sfnt] Fix color palette loading.
 
        Reported as
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 7e44d42..4fc4300 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -64,7 +64,8 @@
     FT_Byte*  layers;
 
     /* The memory which backs up the `COLR' table. */
-    void*  table;
+    void*     table;
+    FT_ULong  table_size;
 
   } Colr;
 
@@ -138,6 +139,7 @@
     colr->base_glyphs = (FT_Byte*)( table + base_glyph_offset );
     colr->layers      = (FT_Byte*)( table + layer_offset      );
     colr->table       = table;
+    colr->table_size  = table_size;
 
     face->colr = colr;
 
@@ -220,6 +222,9 @@
 
     if ( !iterator->p )
     {
+      FT_ULong  offset;
+
+
       /* first call to function */
       iterator->layer = 0;
 
@@ -229,13 +234,16 @@
                                     &glyph_record ) )
         return 0;
 
-      iterator->p = colr->layers +
-                      LAYER_SIZE * glyph_record.first_layer_index;
-
       if ( glyph_record.num_layers )
         iterator->num_layers = glyph_record.num_layers;
       else
         return 0;
+
+      offset = LAYER_SIZE * glyph_record.first_layer_index;
+      if ( offset + LAYER_SIZE * glyph_record.num_layers > colr->table_size )
+        return 0;
+
+      iterator->p = colr->layers + offset;
     }
 
     if ( iterator->layer >= iterator->num_layers )

[Prev in Thread]

Current Thread

[Next in Thread]

[freetype2] master 9960e7b: [sfnt] Fix color glyph layer loading., Werner LEMBERG <=

Prev by Date: [freetype2] master 1079063 2/2: [sfnt] Fix color palette loading.
Next by Date: [freetype2] master e361cc6 1/2: s/trace_bitmap/trace_checksum/.
Previous by thread: [freetype2] master 1079063 2/2: [sfnt] Fix color palette loading.
Next by thread: [freetype2] master e361cc6 1/2: s/trace_bitmap/trace_checksum/.
Index(es):
- Date
- Thread