[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master e97cb9e8d 2/2: [truetype] Improve bounds checks for `
|
From: |
Werner Lemberg |
|
Subject: |
[freetype2] master e97cb9e8d 2/2: [truetype] Improve bounds checks for `ItemVariationStore`. |
|
Date: |
Sat, 12 Nov 2022 10:48:17 -0500 (EST) |
branch: master
commit e97cb9e8da39673caeadf4b99a3aa1fb9e4c7301
Author: Behdad Esfahbod <behdad@behdad.org>
Commit: Werner Lemberg <wl@gnu.org>
[truetype] Improve bounds checks for `ItemVariationStore`.
* src/truetype/ttgxvar.c (tt_hvadvance_adjust): Move bounds check ...
(tt_var_get_item_delta): ... to this function, because it is safer. For
example, the 'avar' table 2.0 codepath was not performing a bounds check at
all.
---
src/truetype/ttgxvar.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index f9960c045..458b958ab 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -996,10 +996,16 @@
/* See pseudo code from `Font Variations Overview' */
/* in the OpenType specification. */
+ if ( outerIndex >= itemStore->dataCount )
+ return 0; /* Out of range. */
+
varData = &itemStore->varData[outerIndex];
deltaSet = FT_OFFSET( varData->deltaSet,
varData->regionIdxCount * innerIndex );
+ if ( innerIndex >= varData->itemCount )
+ return 0; /* Out of range. */
+
if ( FT_QNEW_ARRAY( scalars, varData->regionIdxCount ) )
return 0;
@@ -1171,20 +1177,9 @@
}
else
{
- GX_ItemVarData varData;
-
-
/* no widthMap data */
outerIndex = 0;
innerIndex = gindex;
-
- varData = &table->itemStore.varData[outerIndex];
- if ( gindex >= varData->itemCount )
- {
- FT_TRACE2(( "gindex %d out of range\n", gindex ));
- error = FT_THROW( Invalid_Argument );
- goto Exit;
- }
}
delta = tt_var_get_item_delta( face,
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master e97cb9e8d 2/2: [truetype] Improve bounds checks for `ItemVariationStore`.,
Werner Lemberg <=