[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master 63f371367: [sfnt] Fix color stop bounds check calcula
|
From: |
Werner Lemberg |
|
Subject: |
[freetype2] master 63f371367: [sfnt] Fix color stop bounds check calculation at table end. |
|
Date: |
Thu, 5 Jan 2023 03:39:29 -0500 (EST) |
branch: master
commit 63f371367aeefa73541617edfb1dcef9428796fb
Author: Dominik Röttsches <drott@chromium.org>
Commit: Werner Lemberg <wl@gnu.org>
[sfnt] Fix color stop bounds check calculation at table end.
Fixes https://bugs.chromium.org/p/skia/issues/detail?id=14021
* src/sfnt/ttcolr.c (VAR_IDX_BASE_SIZE): New macro.
(tt_face_get_colorline_stops): Fix off-by-one bounds check calculation, take
`VarColorStop` into account, and hopefully make it easier to read.
---
src/sfnt/ttcolr.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index da808230f..3f8ba3bec 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -56,6 +56,7 @@
#define LAYER_V1_LIST_PAINT_OFFSET_SIZE 4U
#define LAYER_V1_LIST_NUM_LAYERS_SIZE 4U
#define COLOR_STOP_SIZE 6U
+#define VAR_IDX_BASE_SIZE 4U
#define LAYER_SIZE 4U
/* https://docs.microsoft.com/en-us/typography/opentype/spec/colr#colr-header
*/
/* 3 * uint16 + 2 * Offset32 */
@@ -1618,20 +1619,29 @@
FT_Byte* p;
FT_ULong var_index_base;
+ FT_Byte* last_entry_p = NULL;
+ FT_UInt entry_size = COLOR_STOP_SIZE;
- if ( !colr || !colr->table )
+ if ( !colr || !colr->table || !iterator )
return 0;
if ( iterator->current_color_stop >= iterator->num_color_stops )
return 0;
- /* Subtract 3 times 2 because we need to succeed in reading */
- /* three 2-byte short values. */
- if ( iterator->p +
- ( iterator->num_color_stops - iterator->current_color_stop ) *
- COLOR_STOP_SIZE >
- (FT_Byte*)colr->table + colr->table_size - 1 - 2 - 2 - 2 )
+ if ( iterator->read_variable )
+ entry_size += VAR_IDX_BASE_SIZE;
+
+ /* Calculate the start pointer for the last to-be-read (Var)ColorStop */
+ /* and check whether we can read a full (Var)ColorStop at that */
+ /* position by comparing it to the position that is the size of one */
+ /* (Var)ColorStop before the end of the 'COLR' table. */
+ last_entry_p =
+ iterator->p + ( iterator->num_color_stops - 1 -
+ iterator->current_color_stop ) * entry_size;
+ if ( iterator->p < colr->paints_start_v1 ||
+ last_entry_p > (FT_Byte*)colr->table +
+ colr->table_size - entry_size )
return 0;
/* Iterator points at first `ColorStop` of `ColorLine`. */
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master 63f371367: [sfnt] Fix color stop bounds check calculation at table end.,
Werner Lemberg <=