freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] Reject 'COLR' table if version is 1 but

From: Werner Lemberg (@wl)
Subject: [Git][freetype/freetype][master] Reject 'COLR' table if version is 1 but header too small.
Date: Fri, 16 Sep 2022 17:01:11 +0000

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

  • 33ceac2a
    by Dominik Röttsches at 2022-09-16T18:55:24+02:00 
    Reject 'COLR' table if version is 1 but header too small.

* src/sfnt/ttcolr.c (tt_face_load_colr): If the version is determined to
be 1, then the table size has to be at least the size of the v1 header.
Also, for peeking the number of base glyphs and entries in the layer list,
ensure that the table is sufficiently long.

Fixes #1179.  Original patch by Sergey Temnikov.

1 changed file:

Changes:

  • src/sfnt/ttcolr.c
    ... ... @@ -57,7 +57,11 @@
    57 57 
     #define LAYER_V1_LIST_NUM_LAYERS_SIZE     4U
    58 58 
     #define COLOR_STOP_SIZE                   6U
    59 59 
     #define LAYER_SIZE                        4U
    60 
    -#define COLR_HEADER_SIZE                 14U
    60 
    +/* https://docs.microsoft.com/en-us/typography/opentype/spec/colr#colr-header */
    61 
    +/* 3 * uint16 + 2 * Offset32 */
    62 
    +#define COLRV0_HEADER_SIZE               14U
    63 
    +/* COLRV0_HEADER_SIZE + 5 * Offset32 */
    64 
    +#define COLRV1_HEADER_SIZE               34U
    61 65
    62 66
    63 67 
     #define VARIABLE_COLRV1_ENABLED                                            \
    ... ... @@ -191,7 +195,7 @@
    191 195 
         colr_offset_in_stream = FT_STREAM_POS();
    192 196 
     #endif
    193 197
    194 
    -    if ( table_size < COLR_HEADER_SIZE )
    198 
    +    if ( table_size < COLRV0_HEADER_SIZE )
    195 199 
           goto InvalidTable;
    196 200
    197 201 
         if ( FT_FRAME_EXTRACT( table_size, table ) )
    ... ... @@ -225,9 +229,12 @@
    225 229
    226 230 
         if ( colr->version == 1 )
    227 231 
         {
    232 
    +      if ( table_size < COLRV1_HEADER_SIZE )
    233 
    +        goto InvalidTable;
    234 
    +
    228 235 
           base_glyphs_offset_v1 = FT_NEXT_ULONG( p );
    229 236
    230 
    -      if ( base_glyphs_offset_v1 >= table_size )
    237 
    +      if ( base_glyphs_offset_v1 + 4 >= table_size )
    231 238 
             goto InvalidTable;
    232 239
    233 240 
           p1                 = (FT_Byte*)( table + base_glyphs_offset_v1 );
    ... ... @@ -247,6 +254,9 @@
    247 254
    248 255 
           if ( layer_offset_v1 )
    249 256 
           {
    257 
    +        if ( layer_offset_v1 + 4 >= table_size )
    258 
    +          goto InvalidTable;
    259 
    +
    250 260 
             p1            = (FT_Byte*)( table + layer_offset_v1 );
    251 261 
             num_layers_v1 = FT_PEEK_ULONG( p1 );
    252 262


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]