[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 335224bee: [sfnt] Fix bounds check in SVG.
From: |
Werner Lemberg |
Subject: |
[freetype2] master 335224bee: [sfnt] Fix bounds check in SVG. |
Date: |
Thu, 3 Mar 2022 22:24:22 -0500 (EST) |
branch: master
commit 335224beee2e72caab4ae56b76d6eb72001c3753
Author: Ben Wagner <bungeman@chromium.org>
Commit: Ben Wagner <bungeman@chromium.org>
[sfnt] Fix bounds check in SVG.
The `SVG_DOCUMENT_LIST_MINIMUM_SIZE` macro is non trivial and not
protected by parentheses. As a result, the expression
`table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE` expands to
`table_size - 2U + SVG_DOCUMENT_RECORD_SIZE` instead of the expected
`table_size - (2U + SVG_DOCUMENT_RECORD_SIZE)`. This causes an incorrect
bounds check which may lead to reading past the end of the `SVG ` table.
* src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in
parentheses.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179
---
src/sfnt/ttsvg.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c
index 781a88b4d..cb70ee8b1 100644
--- a/src/sfnt/ttsvg.c
+++ b/src/sfnt/ttsvg.c
@@ -39,11 +39,11 @@
/* NOTE: These table sizes are given by the specification. */
-#define SVG_TABLE_HEADER_SIZE 10U
-#define SVG_DOCUMENT_RECORD_SIZE 12U
-#define SVG_DOCUMENT_LIST_MINIMUM_SIZE 2U + SVG_DOCUMENT_RECORD_SIZE
-#define SVG_MINIMUM_SIZE SVG_TABLE_HEADER_SIZE + \
- SVG_DOCUMENT_LIST_MINIMUM_SIZE
+#define SVG_TABLE_HEADER_SIZE (10U)
+#define SVG_DOCUMENT_RECORD_SIZE (12U)
+#define SVG_DOCUMENT_LIST_MINIMUM_SIZE (2U + SVG_DOCUMENT_RECORD_SIZE)
+#define SVG_MINIMUM_SIZE (SVG_TABLE_HEADER_SIZE + \
+ SVG_DOCUMENT_LIST_MINIMUM_SIZE)
typedef struct Svg_
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 335224bee: [sfnt] Fix bounds check in SVG.,
Werner Lemberg <=