Werner Lemberg pushed to branch master at FreeType / FreeType
Commits:
-
ee6d03d3
by Dominik Röttsches at 2021-06-08T14:29:11+03:00
2 changed files:
Changes:
| 1 |
+2021-06-08 Dominik Röttsches <drott@chromium.org>
|
|
| 2 |
+ |
|
| 3 |
+ [sfnt] Pointer validity check when reading COLR 'v1' layers
|
|
| 4 |
+ |
|
| 5 |
+ * src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
|
|
| 6 |
+ existing sanity checks, ensure that the pointer to the layer to be
|
|
| 7 |
+ read is within the 'COLR' v1 table.
|
|
| 8 |
+ |
|
| 1 | 9 |
2021-06-08 Werner Lemberg <wl@gnu.org>
|
| 2 | 10 |
|
| 3 | 11 |
* src/sdf/ftsdfcommon.c: Fix inclusion of header files.
|
| ... | ... | @@ -701,6 +701,13 @@ |
| 701 | 701 |
*/
|
| 702 | 702 |
p = iterator->p;
|
| 703 | 703 |
|
| 704 |
+ /*
|
|
| 705 |
+ * First ensure that p is within COLRv1.
|
|
| 706 |
+ */
|
|
| 707 |
+ if ( p < colr->base_glyphs_v1 ||
|
|
| 708 |
+ p >= ( (FT_Byte*)colr->table + colr->table_size ) )
|
|
| 709 |
+ return 0;
|
|
| 710 |
+ |
|
| 704 | 711 |
/*
|
| 705 | 712 |
* Do a cursor sanity check of the iterator. Counting backwards from
|
| 706 | 713 |
* where it stands, we need to end up at a position after the beginning
|