... |
... |
@@ -516,7 +516,8 @@ |
516
|
516
|
|
517
|
517
|
|
518
|
518
|
static FT_Bool
|
519
|
|
- read_color_line( FT_Byte* color_line_p,
|
|
519
|
+ read_color_line( Colr* colr,
|
|
520
|
+ FT_Byte* color_line_p,
|
520
|
521
|
FT_ColorLine* colorline,
|
521
|
522
|
FT_Bool read_variable )
|
522
|
523
|
{
|
... |
... |
@@ -524,6 +525,8 @@ |
524
|
525
|
FT_PaintExtend paint_extend;
|
525
|
526
|
|
526
|
527
|
|
|
528
|
+ ENSURE_READ_BYTES( 3 );
|
|
529
|
+
|
527
|
530
|
paint_extend = (FT_PaintExtend)FT_NEXT_BYTE( p );
|
528
|
531
|
if ( paint_extend > FT_COLR_PAINT_EXTEND_REFLECT )
|
529
|
532
|
return 0;
|
... |
... |
@@ -748,7 +751,8 @@ |
748
|
751
|
( (FT_PaintFormat_Internal)apaint->format ==
|
749
|
752
|
FT_COLR_PAINTFORMAT_INTERNAL_VAR_LINEAR_GRADIENT ) ) )
|
750
|
753
|
{
|
751
|
|
- if ( !read_color_line( child_table_p,
|
|
754
|
+ if ( !read_color_line( colr,
|
|
755
|
+ child_table_p,
|
752
|
756
|
&apaint->u.linear_gradient.colorline,
|
753
|
757
|
do_read_var ) )
|
754
|
758
|
return 0;
|
... |
... |
@@ -798,7 +802,8 @@ |
798
|
802
|
FT_Pos tmp;
|
799
|
803
|
|
800
|
804
|
|
801
|
|
- if ( !read_color_line( child_table_p,
|
|
805
|
+ if ( !read_color_line( colr,
|
|
806
|
+ child_table_p,
|
802
|
807
|
&apaint->u.radial_gradient.colorline,
|
803
|
808
|
do_read_var ) )
|
804
|
809
|
return 0;
|
... |
... |
@@ -856,7 +861,8 @@ |
856
|
861
|
( (FT_PaintFormat_Internal)apaint->format ==
|
857
|
862
|
FT_COLR_PAINTFORMAT_INTERNAL_VAR_SWEEP_GRADIENT ) ) )
|
858
|
863
|
{
|
859
|
|
- if ( !read_color_line( child_table_p,
|
|
864
|
+ if ( !read_color_line( colr,
|
|
865
|
+ child_table_p,
|
860
|
866
|
&apaint->u.sweep_gradient.colorline,
|
861
|
867
|
do_read_var) )
|
862
|
868
|
return 0;
|
... |
... |
@@ -1558,13 +1564,6 @@ |
1558
|
1564
|
*/
|
1559
|
1565
|
p = iterator->p;
|
1560
|
1566
|
|
1561
|
|
- /*
|
1562
|
|
- * First ensure that p is within COLRv1.
|
1563
|
|
- */
|
1564
|
|
- if ( p < colr->layers_v1 ||
|
1565
|
|
- p >= ( (FT_Byte*)colr->table + colr->table_size ) )
|
1566
|
|
- return 0;
|
1567
|
|
-
|
1568
|
1567
|
/*
|
1569
|
1568
|
* Do a cursor sanity check of the iterator. Counting backwards from
|
1570
|
1569
|
* where it stands, we need to end up at a position after the beginning
|
... |
... |
@@ -1581,6 +1580,14 @@ |
1581
|
1580
|
colr->num_layers_v1 * LAYER_V1_LIST_PAINT_OFFSET_SIZE ) )
|
1582
|
1581
|
return 0;
|
1583
|
1582
|
|
|
1583
|
+ /*
|
|
1584
|
+ * Before reading, ensure that `p` is within 'COLR' v1 and we can read a
|
|
1585
|
+ * 4-byte ULONG.
|
|
1586
|
+ */
|
|
1587
|
+ if ( p < colr->layers_v1 ||
|
|
1588
|
+ p > ( (FT_Byte*)colr->table + colr->table_size - 4 ) )
|
|
1589
|
+ return 0;
|
|
1590
|
+
|
1584
|
1591
|
paint_offset =
|
1585
|
1592
|
FT_NEXT_ULONG( p );
|
1586
|
1593
|
opaque_paint->insert_root_transform =
|