[Git][freetype/freetype][master] [sfnt] Guard access in 'COLR' table whe

freetype-commit

[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] [sfnt] Guard access in 'COLR' table whe

From:	Werner Lemberg (@wl)
Subject:	[Git][freetype/freetype][master] [sfnt] Guard access in 'COLR' table when requesting child table pointer.
Date:	Tue, 27 Sep 2022 16:21:11 +0000

 Werner Lemberg pushed to branch master
at FreeType / FreeType


Commits:



df260139

by Dominik Röttsches
at 2022-09-27T18:18:59+02:00

[sfnt] Guard access in 'COLR' table when requesting child table pointer.

* src/sfnt/ttcolr.c (tt_face_get_colorline_stops, read_paint): Tighten
pointer bounds checks.
(get_child_table_pointer): Check whether incoming pointer `p` lies within
the 'COLR' table.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51816



1 changed file:



src/sfnt/ttcolr.c



Changes:

src/sfnt/ttcolr.c



...
...
@@ -554,6 +554,10 @@



554


554

     if ( !child_table_pointer )




555


555

       return 0;




556


556

 




 


557

+    if ( *p < colr->paints_start_v1                            ||




 


558

+         *p > (FT_Byte*)colr->table + colr->table_size - 1 - 3 )




 


559

+      return 0;




 


560

+




557


561

     paint_offset = FT_NEXT_UOFF3( *p );




558


562

     if ( !paint_offset )




559


563

       return 0;



...
...
@@ -650,8 +654,10 @@



650


654

     if ( !p || !colr || !colr->table )




651


655

       return 0;




652


656

 




653


 

-    if ( p < colr->paints_start_v1                         ||




654


 

-         p >= ( (FT_Byte*)colr->table + colr->table_size ) )




 


657

+    /* The last byte of the 'COLR' table is at 'size-1'; subtract 1 of    */




 


658

+    /* that to account for the expected format byte we are going to read. */




 


659

+    if ( p < colr->paints_start_v1                        ||




 


660

+         p > (FT_Byte*)colr->table + colr->table_size - 2 )




655


661

       return 0;




656


662

 




657


663

     apaint->format = (FT_PaintFormat)FT_NEXT_BYTE( p );



...
...
@@ -1577,10 +1583,12 @@



1577


1583

     if ( iterator->current_color_stop >= iterator->num_color_stops )




1578


1584

       return 0;




1579


1585

 




 


1586

+    /* Subtract 3 times 2 because we need to succeed in reading */




 


1587

+    /* three 2-byte short values.                               */




1580


1588

     if ( iterator->p +




1581


 

-           ( ( iterator->num_color_stops - iterator->current_color_stop ) *




1582


 

-             COLOR_STOP_SIZE ) >




1583


 

-         ( (FT_Byte *)colr->table + colr->table_size ) )




 


1589

+           ( iterator->num_color_stops - iterator->current_color_stop ) *




 


1590

+           COLOR_STOP_SIZE >




 


1591

+         (FT_Byte*)colr->table + colr->table_size - 1 - 2 - 2 - 2 )




1584


1592

       return 0;




1585


1593

 




1586


1594

     /* Iterator points at first `ColorStop` of `ColorLine`. */











—


View it on GitLab.


You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help
@@ -554,6 +554,10 @@
      if ( !child_table_pointer )
        return 0;
 +    if ( *p < colr->paints_start_v1                            ||
 +         *p > (FT_Byte*)colr->table + colr->table_size - 1 - 3 )
 +      return 0;
++
      paint_offset = FT_NEXT_UOFF3( *p );
      if ( !paint_offset )
        return 0;
@@ -650,8 +654,10 @@
      if ( !p || !colr || !colr->table )
        return 0;
 -    if ( p < colr->paints_start_v1                         ||
 -         p >= ( (FT_Byte*)colr->table + colr->table_size ) )
 +    /* The last byte of the 'COLR' table is at 'size-1'; subtract 1 of    */
 +    /* that to account for the expected format byte we are going to read. */
 +    if ( p < colr->paints_start_v1                        ||
 +         p > (FT_Byte*)colr->table + colr->table_size - 2 )
        return 0;
      apaint->format = (FT_PaintFormat)FT_NEXT_BYTE( p );
@@ -1577,10 +1583,12 @@
      if ( iterator->current_color_stop >= iterator->num_color_stops )
        return 0;
 +    /* Subtract 3 times 2 because we need to succeed in reading */
 +    /* three 2-byte short values.                               */
      if ( iterator->p +
 -           ( ( iterator->num_color_stops - iterator->current_color_stop ) *
 -             COLOR_STOP_SIZE ) >
 -         ( (FT_Byte *)colr->table + colr->table_size ) )
 +           ( iterator->num_color_stops - iterator->current_color_stop ) *
 +           COLOR_STOP_SIZE >
 +         (FT_Byte*)colr->table + colr->table_size - 1 - 2 - 2 - 2 )
        return 0;
      /* Iterator points at first `ColorStop` of `ColorLine`. */

[Prev in Thread]

Current Thread

[Next in Thread]

[Git][freetype/freetype][master] [sfnt] Guard access in 'COLR' table when requesting child table pointer., Werner Lemberg (@wl) <=

Prev by Date: [freetype2] master df2601395: [sfnt] Guard access in 'COLR' table when requesting child table pointer.
Next by Date: [freetype2] master 3f3427c6f: * src/tools/*.py: Migrate to Python 3.
Previous by thread: [freetype2] master df2601395: [sfnt] Guard access in 'COLR' table when requesting child table pointer.
Next by thread: [freetype2] master 3f3427c6f: * src/tools/*.py: Migrate to Python 3.
Index(es):
- Date
- Thread