freetype-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] [sfnt] Additional bounds checks for `CO


From: Werner Lemberg (@wl)
Subject: [Git][freetype/freetype][master] [sfnt] Additional bounds checks for `COLR` v1 table handling.
Date: Tue, 18 Oct 2022 17:59:21 +0000

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

  • 0b62c1e4
    by Dominik Röttsches at 2022-10-18T19:55:25+02:00
    [sfnt] Additional bounds checks for `COLR` v1 table handling.
    
    * src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for...
    ... another use of `ENSURE_READ_BYTES`.
    Update callers.
    (tt_face_get_paint_layers): Ensure that the 4-byte paint table
    offset can be read.
    
    This is a follow-up to !124 and issue
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
    

1 changed file:

Changes:

  • src/sfnt/ttcolr.c
    ... ... @@ -516,7 +516,8 @@
    516 516
     
    
    517 517
     
    
    518 518
       static FT_Bool
    
    519
    -  read_color_line( FT_Byte*       color_line_p,
    
    519
    +  read_color_line( Colr*          colr,
    
    520
    +                   FT_Byte*       color_line_p,
    
    520 521
                        FT_ColorLine*  colorline,
    
    521 522
                        FT_Bool        read_variable )
    
    522 523
       {
    
    ... ... @@ -524,6 +525,8 @@
    524 525
         FT_PaintExtend  paint_extend;
    
    525 526
     
    
    526 527
     
    
    528
    +    ENSURE_READ_BYTES( 3 );
    
    529
    +
    
    527 530
         paint_extend = (FT_PaintExtend)FT_NEXT_BYTE( p );
    
    528 531
         if ( paint_extend > FT_COLR_PAINT_EXTEND_REFLECT )
    
    529 532
           return 0;
    
    ... ... @@ -748,7 +751,8 @@
    748 751
                ( (FT_PaintFormat_Internal)apaint->format ==
    
    749 752
                  FT_COLR_PAINTFORMAT_INTERNAL_VAR_LINEAR_GRADIENT ) ) )
    
    750 753
         {
    
    751
    -      if ( !read_color_line( child_table_p,
    
    754
    +      if ( !read_color_line( colr,
    
    755
    +                             child_table_p,
    
    752 756
                                  &apaint->u.linear_gradient.colorline,
    
    753 757
                                  do_read_var ) )
    
    754 758
             return 0;
    
    ... ... @@ -798,7 +802,8 @@
    798 802
           FT_Pos  tmp;
    
    799 803
     
    
    800 804
     
    
    801
    -      if ( !read_color_line( child_table_p,
    
    805
    +      if ( !read_color_line( colr,
    
    806
    +                             child_table_p,
    
    802 807
                                  &apaint->u.radial_gradient.colorline,
    
    803 808
                                  do_read_var ) )
    
    804 809
             return 0;
    
    ... ... @@ -856,7 +861,8 @@
    856 861
                     ( (FT_PaintFormat_Internal)apaint->format ==
    
    857 862
                       FT_COLR_PAINTFORMAT_INTERNAL_VAR_SWEEP_GRADIENT ) ) )
    
    858 863
         {
    
    859
    -      if ( !read_color_line( child_table_p,
    
    864
    +      if ( !read_color_line( colr,
    
    865
    +                             child_table_p,
    
    860 866
                                  &apaint->u.sweep_gradient.colorline,
    
    861 867
                                  do_read_var) )
    
    862 868
             return 0;
    
    ... ... @@ -1558,13 +1564,6 @@
    1558 1564
          */
    
    1559 1565
         p = iterator->p;
    
    1560 1566
     
    
    1561
    -    /*
    
    1562
    -     * First ensure that p is within COLRv1.
    
    1563
    -     */
    
    1564
    -    if ( p < colr->layers_v1                               ||
    
    1565
    -         p >= ( (FT_Byte*)colr->table + colr->table_size ) )
    
    1566
    -      return 0;
    
    1567
    -
    
    1568 1567
         /*
    
    1569 1568
          * Do a cursor sanity check of the iterator.  Counting backwards from
    
    1570 1569
          * where it stands, we need to end up at a position after the beginning
    
    ... ... @@ -1581,6 +1580,14 @@
    1581 1580
                colr->num_layers_v1 * LAYER_V1_LIST_PAINT_OFFSET_SIZE ) )
    
    1582 1581
           return 0;
    
    1583 1582
     
    
    1583
    +    /*
    
    1584
    +     * Before reading, ensure that `p` is within 'COLR' v1 and we can read a
    
    1585
    +     * 4-byte ULONG.
    
    1586
    +     */
    
    1587
    +    if ( p < colr->layers_v1                                  ||
    
    1588
    +         p > ( (FT_Byte*)colr->table + colr->table_size - 4 ) )
    
    1589
    +      return 0;
    
    1590
    +
    
    1584 1591
         paint_offset =
    
    1585 1592
           FT_NEXT_ULONG( p );
    
    1586 1593
         opaque_paint->insert_root_transform =
    


  • reply via email to

    [Prev in Thread] Current Thread [Next in Thread]