[Git][freetype/freetype][master] [sfnt] Guard individual `COLR` v1 paint field reads.

[Werner Lemberg (@wl)]

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

• 04272824
  by Dominik Röttsches at 2022-10-18T08:37:05+02:00

  [sfnt] Guard individual `COLR` v1 paint field reads.
  
  * src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro.
  (read_paint): Use it – after the start pointer `p` has been checked for
  whether it allows reading the format byte, each successive paint table field
  read need to be bounds-checked before reading further values.
  
  Reported as
  
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
  

1 changed file:

• src/sfnt/ttcolr.c

Changes:

src/sfnt/ttcolr.c

---

...	...	@@ -69,6 +69,11 @@
69	69	&tt_driver_class && \
70	70	((TT_Driver)FT_FACE_DRIVER( face ))->enable_variable_colrv1 )
71	71
	72	+#define ENSURE_READ_BYTES( byte_size ) \
	73	+ if ( p < colr->paints_start_v1 || \
	74	+ p > (FT_Byte*)colr->table + colr->table_size - byte_size ) \
	75	+ return 0;
	76	+
72	77
73	78	typedef enum FT_PaintFormat_Internal_
74	79	{
...	...	@@ -695,6 +700,7 @@
695	700	(FT_PaintFormat_Internal)apaint->format ==
696	701	FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID )
697	702	{
	703	+ ENSURE_READ_BYTES( 4 );
698	704	apaint->u.solid.color.palette_index = FT_NEXT_USHORT( p );
699	705	apaint->u.solid.color.alpha = FT_NEXT_SHORT( p );
700	706
...	...	@@ -703,6 +709,7 @@
703	709	FT_COLR_PAINTFORMAT_INTERNAL_VAR_SOLID &&
704	710	VARIABLE_COLRV1_ENABLED )
705	711	{
	712	+ ENSURE_READ_BYTES( 4 );
706	713	var_index_base = FT_NEXT_ULONG( p );
707	714
708	715	if ( !get_deltas_for_var_index_base( face, colr, var_index_base, 1,
...	...	@@ -720,6 +727,7 @@
720	727
721	728	else if ( apaint->format == FT_COLR_PAINTFORMAT_COLR_GLYPH )
722	729	{
	730	+ ENSURE_READ_BYTES(2);
723	731	apaint->u.colr_glyph.glyphID = FT_NEXT_USHORT( p );
724	732
725	733	return 1;
...	...	@@ -746,9 +754,11 @@
746	754	return 0;
747	755
748	756	/*
749		- * In order to support variations expose these as FT_Fixed 16.16 values so
750		- * that we can support fractional values after interpolation.
	757	+ * In order to support variations expose these as FT_Fixed 16.16
	758	+ * values so that we can support fractional values after
	759	+ * interpolation.
751	760	*/
	761	+ ENSURE_READ_BYTES( 12 );
752	762	apaint->u.linear_gradient.p0.x = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
753	763	apaint->u.linear_gradient.p0.y = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
754	764	apaint->u.linear_gradient.p1.x = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
...	...	@@ -759,6 +769,7 @@
759	769	#ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT
760	770	if ( do_read_var && VARIABLE_COLRV1_ENABLED )
761	771	{
	772	+ ENSURE_READ_BYTES( 4 );
762	773	var_index_base = FT_NEXT_ULONG ( p );
763	774
764	775	if ( !get_deltas_for_var_index_base( face, colr, var_index_base, 6,
...	...	@@ -792,11 +803,14 @@
792	803	do_read_var ) )
793	804	return 0;
794	805
	806	+
795	807	/* In the OpenType specification, `r0` and `r1` are defined as */
796	808	/* `UFWORD`. Since FreeType doesn't have a corresponding 16.16 */
797	809	/* format we convert to `FWORD` and replace negative values with */
798	810	/* (32bit) `FT_INT_MAX`. */
799	811
	812	+ ENSURE_READ_BYTES( 12 );
	813	+
800	814	apaint->u.radial_gradient.c0.x = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
801	815	apaint->u.radial_gradient.c0.y = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
802	816
...	...	@@ -812,6 +826,7 @@
812	826	#ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT
813	827	if ( do_read_var && VARIABLE_COLRV1_ENABLED )
814	828	{
	829	+ ENSURE_READ_BYTES( 4 );
815	830	var_index_base = FT_NEXT_ULONG ( p );
816	831
817	832	if ( !get_deltas_for_var_index_base( face, colr, var_index_base, 6,
...	...	@@ -846,6 +861,8 @@
846	861	do_read_var) )
847	862	return 0;
848	863
	864	+ ENSURE_READ_BYTES( 8 );
	865	+
849	866	apaint->u.sweep_gradient.center.x =
850	867	INT_TO_FIXED( FT_NEXT_SHORT( p ) );
851	868	apaint->u.sweep_gradient.center.y =
...	...	@@ -859,6 +876,7 @@
859	876	#ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT
860	877	if ( do_read_var && VARIABLE_COLRV1_ENABLED )
861	878	{
	879	+ ENSURE_READ_BYTES( 4 );
862	880	var_index_base = FT_NEXT_ULONG ( p );
863	881
864	882	if ( !get_deltas_for_var_index_base( face, colr, var_index_base, 4,
...	...	@@ -882,6 +900,7 @@
882	900
883	901	if ( apaint->format == FT_COLR_PAINTFORMAT_GLYPH )
884	902	{
	903	+ ENSURE_READ_BYTES( 2 );
885	904	apaint->u.glyph.paint.p = child_table_p;
886	905	apaint->u.glyph.paint.insert_root_transform = 0;
887	906	apaint->u.glyph.glyphID = FT_NEXT_USHORT( p );
...	...	@@ -905,6 +924,7 @@
905	924	* The following matrix coefficients are encoded as
906	925	* OpenType 16.16 fixed-point values.
907	926	*/
	927	+ ENSURE_READ_BYTES( 24 );
908	928	apaint->u.transform.affine.xx = FT_NEXT_LONG( p );
909	929	apaint->u.transform.affine.yx = FT_NEXT_LONG( p );
910	930	apaint->u.transform.affine.xy = FT_NEXT_LONG( p );
...	...	@@ -917,6 +937,7 @@
917	937	FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSFORM &&
918	938	VARIABLE_COLRV1_ENABLED )
919	939	{
	940	+ ENSURE_READ_BYTES( 4 );
920	941	var_index_base = FT_NEXT_ULONG( p );
921	942
922	943	if ( !get_deltas_for_var_index_base( face, colr, var_index_base, 6,
...	...	@@ -944,6 +965,7 @@
944	965	apaint->u.translate.paint.p = child_table_p;
945	966	apaint->u.translate.paint.insert_root_transform = 0;
946	967
	968	+ ENSURE_READ_BYTES( 4 );
947	969	apaint->u.translate.dx = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
948	970	apaint->u.translate.dy = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
949	971
...	...	@@ -952,6 +974,7 @@
952	974	FT_COLR_PAINTFORMAT_INTERNAL_VAR_TRANSLATE &&
953	975	VARIABLE_COLRV1_ENABLED )
954	976	{
	977	+ ENSURE_READ_BYTES( 4 );
955	978	var_index_base = FT_NEXT_ULONG( p );
956	979
957	980	if ( !get_deltas_for_var_index_base( face, colr, var_index_base, 2,
...	...	@@ -976,6 +999,7 @@
976	999	apaint->u.scale.paint.insert_root_transform = 0;
977	1000
978	1001	/* All scale paints get at least one scale value. */
	1002	+ ENSURE_READ_BYTES( 2 );
979	1003	apaint->u.scale.scale_x = F2DOT14_TO_FIXED( FT_NEXT_SHORT( p ) );
980	1004
981	1005	/* Non-uniform ones read an extra y value. */
...	...	@@ -986,7 +1010,10 @@
986	1010	FT_COLR_PAINTFORMAT_INTERNAL_SCALE_CENTER ||
987	1011	(FT_PaintFormat_Internal)apaint->format ==
988	1012	FT_COLR_PAINTFORMAT_INTERNAL_VAR_SCALE_CENTER )
	1013	+ {
	1014	+ ENSURE_READ_BYTES( 2 );
989	1015	apaint->u.scale.scale_y = F2DOT14_TO_FIXED( FT_NEXT_SHORT( p ) );
	1016	+ }
990	1017	else
991	1018	apaint->u.scale.scale_y = apaint->u.scale.scale_x;
992	1019
...	...	@@ -1001,6 +1028,7 @@
1001	1028	(FT_PaintFormat_Internal)apaint->format ==
1002	1029	FT_COLR_PAINTFORMAT_INTERNAL_VAR_SCALE_UNIFORM_CENTER )
1003	1030	{
	1031	+ ENSURE_READ_BYTES( 4 );
1004	1032	apaint->u.scale.center_x = INT_TO_FIXED( FT_NEXT_SHORT ( p ) );
1005	1033	apaint->u.scale.center_y = INT_TO_FIXED( FT_NEXT_SHORT ( p ) );
1006	1034	}
...	...	@@ -1023,6 +1051,7 @@
1023	1051	FT_COLR_PAINTFORMAT_INTERNAL_VAR_SCALE_UNIFORM_CENTER ) &&
1024	1052	VARIABLE_COLRV1_ENABLED )
1025	1053	{
	1054	+ ENSURE_READ_BYTES( 4 );
1026	1055	var_index_base = FT_NEXT_ULONG( p );
1027	1056
1028	1057	if ( (FT_PaintFormat_Internal)apaint->format ==
...	...	@@ -1093,6 +1122,7 @@
1093	1122	apaint->u.rotate.paint.p = child_table_p;
1094	1123	apaint->u.rotate.paint.insert_root_transform = 0;
1095	1124
	1125	+ ENSURE_READ_BYTES( 2 );
1096	1126	apaint->u.rotate.angle = F2DOT14_TO_FIXED( FT_NEXT_SHORT( p ) );
1097	1127
1098	1128	if ( (FT_PaintFormat_Internal)apaint->format ==
...	...	@@ -1100,6 +1130,7 @@
1100	1130	(FT_PaintFormat_Internal)apaint->format ==
1101	1131	FT_COLR_PAINTFORMAT_INTERNAL_VAR_ROTATE_CENTER )
1102	1132	{
	1133	+ ENSURE_READ_BYTES( 4 );
1103	1134	apaint->u.rotate.center_x = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
1104	1135	apaint->u.rotate.center_y = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
1105	1136	}
...	...	@@ -1119,6 +1150,7 @@
1119	1150	FT_UInt num_deltas = 0;
1120	1151
1121	1152
	1153	+ ENSURE_READ_BYTES( 4 );
1122	1154	var_index_base = FT_NEXT_ULONG( p );
1123	1155
1124	1156	if ( (FT_PaintFormat_Internal)apaint->format ==
...	...	@@ -1162,6 +1194,7 @@
1162	1194	apaint->u.skew.paint.p = child_table_p;
1163	1195	apaint->u.skew.paint.insert_root_transform = 0;
1164	1196
	1197	+ ENSURE_READ_BYTES( 4 );
1165	1198	apaint->u.skew.x_skew_angle = F2DOT14_TO_FIXED( FT_NEXT_SHORT( p ) );
1166	1199	apaint->u.skew.y_skew_angle = F2DOT14_TO_FIXED( FT_NEXT_SHORT( p ) );
1167	1200
...	...	@@ -1170,6 +1203,7 @@
1170	1203	(FT_PaintFormat_Internal)apaint->format ==
1171	1204	FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW_CENTER )
1172	1205	{
	1206	+ ENSURE_READ_BYTES( 4 );
1173	1207	apaint->u.skew.center_x = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
1174	1208	apaint->u.skew.center_y = INT_TO_FIXED( FT_NEXT_SHORT( p ) );
1175	1209	}
...	...	@@ -1187,6 +1221,7 @@
1187	1221	FT_COLR_PAINTFORMAT_INTERNAL_VAR_SKEW_CENTER ) &&
1188	1222	VARIABLE_COLRV1_ENABLED )
1189	1223	{
	1224	+ ENSURE_READ_BYTES( 4 );
1190	1225	var_index_base = FT_NEXT_ULONG( p );
1191	1226
1192	1227	if ( (FT_PaintFormat_Internal)apaint->format ==
...	...	@@ -1228,6 +1263,7 @@
1228	1263	apaint->u.composite.source_paint.p = child_table_p;
1229	1264	apaint->u.composite.source_paint.insert_root_transform = 0;
1230	1265
	1266	+ ENSURE_READ_BYTES( 1 );
1231	1267	composite_mode = FT_NEXT_BYTE( p );
1232	1268	if ( composite_mode >= FT_COLR_COMPOSITE_MAX )
1233	1269	return 0;

—
View it on GitLab.
You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help