Werner Lemberg pushed to branch master at FreeType / FreeType
Commits:
-
7f8a1edd
by Dominik Röttsches at 2021-04-16T12:41:58+03:00
2 changed files:
Changes:
| 1 |
+2021-04-16 Dominik Röttsches <drott@chromium.org>
|
|
| 2 |
+ |
|
| 3 |
+ [sfnt] Safeguard 'COLR' v1 layer extraction
|
|
| 4 |
+ |
|
| 5 |
+ * src/sfnt/ttcolr.c (tt_face_get_paint_layers): Do not output
|
|
| 6 |
+ layer pointer to iterator if it is outside the 'COLR' table.
|
|
| 7 |
+ (read_paint): Do not attempt to read layers that are outside the
|
|
| 8 |
+ table.
|
|
| 9 |
+ |
|
| 1 | 10 |
2021-04-02 Ben Wagner <bungeman@chromium.org>
|
| 2 | 11 |
|
| 3 | 12 |
[base] Complete `ft_glyphslot_clear`.
|
| ... | ... | @@ -388,6 +388,9 @@ |
| 388 | 388 |
if ( !p || !colr || !colr->table )
|
| 389 | 389 |
return 0;
|
| 390 | 390 |
|
| 391 |
+ if ( p < colr->base_glyphs_v1 ||
|
|
| 392 |
+ p >= ( (FT_Byte*)colr->table + colr->table_size ) )
|
|
| 393 |
+ |
|
| 391 | 394 |
apaint->format = FT_NEXT_BYTE( p );
|
| 392 | 395 |
|
| 393 | 396 |
if ( apaint->format >= FT_COLR_PAINT_FORMAT_MAX )
|
| ... | ... | @@ -678,6 +681,7 @@ |
| 678 | 681 |
{
|
| 679 | 682 |
FT_Byte* p = NULL;
|
| 680 | 683 |
FT_Byte* p_first_layer = NULL;
|
| 684 |
+ FT_Byte* p_paint = NULL;
|
|
| 681 | 685 |
FT_UInt32 paint_offset;
|
| 682 | 686 |
|
| 683 | 687 |
Colr* colr;
|
| ... | ... | @@ -716,8 +720,13 @@ |
| 716 | 720 |
FT_NEXT_ULONG( p );
|
| 717 | 721 |
opaque_paint->insert_root_transform =
|
| 718 | 722 |
0;
|
| 719 |
- opaque_paint->p =
|
|
| 720 |
- (FT_Byte*)( colr->layers_v1 + paint_offset );
|
|
| 723 |
+ |
|
| 724 |
+ p_paint = (FT_Byte*)( colr->layers_v1 + paint_offset );
|
|
| 725 |
+ |
|
| 726 |
+ if ( p_paint < colr->base_glyphs_v1 ||
|
|
| 727 |
+ p_paint >= ( (FT_Byte*)colr->table + colr->table_size ) )
|
|
| 728 |
+ |
|
| 729 |
+ opaque_paint->p = p_paint;
|
|
| 721 | 730 |
|
| 722 | 731 |
iterator->p = p;
|
| 723 | 732 |
|