[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master ee6d03d: [sfnt] Pointer validity check when reading C
From: |
Werner Lemberg |
Subject: |
[freetype2] master ee6d03d: [sfnt] Pointer validity check when reading COLR 'v1' layers |
Date: |
Tue, 8 Jun 2021 07:34:05 -0400 (EDT) |
branch: master
commit ee6d03d369e78812dc753c55a85226af343b845e
Author: Dominik Röttsches <drott@chromium.org>
Commit: Dominik Röttsches <drott@chromium.org>
[sfnt] Pointer validity check when reading COLR 'v1' layers
* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
existing sanity checks, ensure that the pointer to the layer to be
read is within the 'COLR' v1 table.
---
ChangeLog | 8 ++++++++
src/sfnt/ttcolr.c | 7 +++++++
2 files changed, 15 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 190efa6..1c61793 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2021-06-08 Dominik Röttsches <drott@chromium.org>
+
+ [sfnt] Pointer validity check when reading COLR 'v1' layers
+
+ * src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
+ existing sanity checks, ensure that the pointer to the layer to be
+ read is within the 'COLR' v1 table.
+
2021-06-08 Werner Lemberg <wl@gnu.org>
* src/sdf/ftsdfcommon.c: Fix inclusion of header files.
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index fa58a90..c3f225d 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -702,6 +702,13 @@
p = iterator->p;
/*
+ * First ensure that p is within COLRv1.
+ */
+ if ( p < colr->base_glyphs_v1 ||
+ p >= ( (FT_Byte*)colr->table + colr->table_size ) )
+ return 0;
+
+ /*
* Do a cursor sanity check of the iterator. Counting backwards from
* where it stands, we need to end up at a position after the beginning
* of the `LayerV1List` table and not after the end of the
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master ee6d03d: [sfnt] Pointer validity check when reading COLR 'v1' layers,
Werner Lemberg <=