freetype-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freetype2] master df2601395: [sfnt] Guard access in 'COLR' table when r


From: Werner Lemberg
Subject: [freetype2] master df2601395: [sfnt] Guard access in 'COLR' table when requesting child table pointer.
Date: Tue, 27 Sep 2022 12:21:19 -0400 (EDT)

branch: master
commit df2601395f96d5d513f15795a725abfe76214d95
Author: Dominik Röttsches <drott@chromium.org>
Commit: Werner Lemberg <wl@gnu.org>

    [sfnt] Guard access in 'COLR' table when requesting child table pointer.
    
    * src/sfnt/ttcolr.c (tt_face_get_colorline_stops, read_paint): Tighten
    pointer bounds checks.
    (get_child_table_pointer): Check whether incoming pointer `p` lies within
    the 'COLR' table.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51816
---
 src/sfnt/ttcolr.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 5df31b9e0..c65ca3da5 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -554,6 +554,10 @@
     if ( !child_table_pointer )
       return 0;
 
+    if ( *p < colr->paints_start_v1                            ||
+         *p > (FT_Byte*)colr->table + colr->table_size - 1 - 3 )
+      return 0;
+
     paint_offset = FT_NEXT_UOFF3( *p );
     if ( !paint_offset )
       return 0;
@@ -650,8 +654,10 @@
     if ( !p || !colr || !colr->table )
       return 0;
 
-    if ( p < colr->paints_start_v1                         ||
-         p >= ( (FT_Byte*)colr->table + colr->table_size ) )
+    /* The last byte of the 'COLR' table is at 'size-1'; subtract 1 of    */
+    /* that to account for the expected format byte we are going to read. */
+    if ( p < colr->paints_start_v1                        ||
+         p > (FT_Byte*)colr->table + colr->table_size - 2 )
       return 0;
 
     apaint->format = (FT_PaintFormat)FT_NEXT_BYTE( p );
@@ -1577,10 +1583,12 @@
     if ( iterator->current_color_stop >= iterator->num_color_stops )
       return 0;
 
+    /* Subtract 3 times 2 because we need to succeed in reading */
+    /* three 2-byte short values.                               */
     if ( iterator->p +
-           ( ( iterator->num_color_stops - iterator->current_color_stop ) *
-             COLOR_STOP_SIZE ) >
-         ( (FT_Byte *)colr->table + colr->table_size ) )
+           ( iterator->num_color_stops - iterator->current_color_stop ) *
+           COLOR_STOP_SIZE >
+         (FT_Byte*)colr->table + colr->table_size - 1 - 2 - 2 - 2 )
       return 0;
 
     /* Iterator points at first `ColorStop` of `ColorLine`. */



reply via email to

[Prev in Thread] Current Thread [Next in Thread]