freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] [sfnt] Fix limit checks for `COLR` v1 C

From: Werner Lemberg (@wl)
Subject: [Git][freetype/freetype][master] [sfnt] Fix limit checks for `COLR` v1 ClipBoxes
Date: Tue, 11 Jan 2022 13:07:44 +0000

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

1 changed file:

Changes:

  • src/sfnt/ttcolr.c
    ... ... @@ -857,10 +857,14 @@
    857 857
    858 858 
         p = colr->clip_list;
    859 859
    860 
    +    /* limit points to the first byte after the end of the color table.        */
    861 
    +    /* Thus, in subsequent limit checks below we need to check whether the     */
    862 
    +    /* read pointer is strictly greater than a position offset                 */
    863 
    +    /* by certain field sizes to the left of that position.                    */
    860 864 
         limit = (FT_Byte*)colr->table + colr->table_size;
    861 865
    862 866 
         /* Check whether we can extract one `uint8` and one `uint32`. */
    863 
    -    if ( p >= limit - ( 1 + 4 ) )
    867 
    +    if ( p > limit - ( 1 + 4 ) )
    864 868 
           return 0;
    865 869
    866 870 
         clip_base        = p;
    ... ... @@ -876,7 +880,7 @@
    876 880 
         /* Check whether we can extract two `uint16` and one `Offset24`, */
    877 881 
         /* `num_clip_boxes` times.                                       */
    878 882 
         if ( colr->table_size / ( 2 + 2 + 3 ) < num_clip_boxes ||
    879 
    -         p >= limit - ( 2 + 2 + 3 ) * num_clip_boxes       )
    883 
    +         p > limit - ( 2 + 2 + 3 ) * num_clip_boxes        )
    880 884 
           return 0;
    881 885
    882 886 
         for ( i = 0; i < num_clip_boxes; ++i )
    ... ... @@ -890,7 +894,7 @@
    890 894 
             p1 = (FT_Byte*)( clip_base + clip_box_offset );
    891 895
    892 896 
             /* Check whether we can extract one `uint8`. */
    893 
    -        if ( p1 >= limit - 1 )
    897 
    +        if ( p1 > limit - 1 )
    894 898 
               return 0;
    895 899
    896 900 
             format = FT_NEXT_BYTE( p1 );
    ... ... @@ -899,7 +903,7 @@
    899 903 
               return 0;
    900 904
    901 905 
             /* Check whether we can extract four `FWORD`. */
    902 
    -        if ( p1 >= limit - ( 2 + 2 + 2 + 2 ) )
    906 
    +        if ( p1 > limit - ( 2 + 2 + 2 + 2 ) )
    903 907 
               return 0;
    904 908
    905 909 
             /* `face->root.size->metrics.x_scale` and `y_scale` are factors   */


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. If you'd like to receive fewer emails, you can adjust your notification settings.

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]