Werner Lemberg pushed to branch master at FreeType / FreeType
Commits:
-
112527dd
by Werner Lemberg at 2022-01-22T12:09:08+01:00
1 changed file:
Changes:
| ... | ... | @@ -38,6 +38,14 @@ |
| 38 | 38 |
#include "ttsvg.h"
|
| 39 | 39 |
|
| 40 | 40 |
|
| 41 |
+ /* NOTE: These table sizes are given by the specification. */
|
|
| 42 |
+#define SVG_TABLE_HEADER_SIZE 10U
|
|
| 43 |
+#define SVG_DOCUMENT_RECORD_SIZE 12U
|
|
| 44 |
+#define SVG_DOCUMENT_LIST_MINIMUM_SIZE 2U + SVG_DOCUMENT_RECORD_SIZE
|
|
| 45 |
+#define SVG_MINIMUM_SIZE SVG_TABLE_HEADER_SIZE + \
|
|
| 46 |
+ SVG_DOCUMENT_LIST_MINIMUM_SIZE
|
|
| 47 |
+ |
|
| 48 |
+ |
|
| 41 | 49 |
typedef struct Svg_
|
| 42 | 50 |
{
|
| 43 | 51 |
FT_UShort version; /* table version (starting at 0) */
|
| ... | ... | @@ -79,6 +87,9 @@ |
| 79 | 87 |
if ( error )
|
| 80 | 88 |
goto NoSVG;
|
| 81 | 89 |
|
| 90 |
+ if ( table_size < SVG_MINIMUM_SIZE )
|
|
| 91 |
+ goto InvalidTable;
|
|
| 92 |
+ |
|
| 82 | 93 |
if ( FT_FRAME_EXTRACT( table_size, table ) )
|
| 83 | 94 |
goto NoSVG;
|
| 84 | 95 |
|
| ... | ... | @@ -90,7 +101,9 @@ |
| 90 | 101 |
svg->version = FT_NEXT_USHORT( p );
|
| 91 | 102 |
offsetToSVGDocumentList = FT_NEXT_ULONG( p );
|
| 92 | 103 |
|
| 93 |
- if ( offsetToSVGDocumentList == 0 )
|
|
| 104 |
+ if ( offsetToSVGDocumentList < SVG_TABLE_HEADER_SIZE ||
|
|
| 105 |
+ offsetToSVGDocumentList > table_size -
|
|
| 106 |
+ SVG_DOCUMENT_LIST_MINIMUM_SIZE )
|
|
| 94 | 107 |
goto InvalidTable;
|
| 95 | 108 |
|
| 96 | 109 |
svg->svg_doc_list = (FT_Byte*)( table + offsetToSVGDocumentList );
|
| ... | ... | @@ -101,6 +114,10 @@ |
| 101 | 114 |
FT_TRACE3(( "version: %d\n", svg->version ));
|
| 102 | 115 |
FT_TRACE3(( "number of entries: %d\n", svg->num_entries ));
|
| 103 | 116 |
|
| 117 |
+ if ( offsetToSVGDocumentList +
|
|
| 118 |
+ svg->num_entries * SVG_DOCUMENT_RECORD_SIZE > table_size )
|
|
| 119 |
+ goto InvalidTable;
|
|
| 120 |
+ |
|
| 104 | 121 |
svg->table = table;
|
| 105 | 122 |
svg->table_size = table_size;
|
| 106 | 123 |
|