diff options
| author | Ben Wagner <bungeman@chromium.org> | 2022-03-03 16:33:40 -0500 |
|---|---|---|
| committer | Ben Wagner <bungeman@chromium.org> | 2022-03-03 16:42:54 -0500 |
| commit | 335224beee2e72caab4ae56b76d6eb72001c3753 (patch) | |
| tree | 314192109fe8dfba6ce379c16842a13cbe5312f3 | |
| parent | 034e5dbf92ea3a7ea7c9322e47a3a50ff23f7b55 (diff) | |
| download | freetype2-335224beee2e72caab4ae56b76d6eb72001c3753.tar.gz | |
[sfnt] Fix bounds check in SVG.
The `SVG_DOCUMENT_LIST_MINIMUM_SIZE` macro is non trivial and not
protected by parentheses. As a result, the expression
`table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE` expands to
`table_size - 2U + SVG_DOCUMENT_RECORD_SIZE` instead of the expected
`table_size - (2U + SVG_DOCUMENT_RECORD_SIZE)`. This causes an incorrect
bounds check which may lead to reading past the end of the `SVG ` table.
* src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in
parentheses.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179
| -rw-r--r-- | src/sfnt/ttsvg.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c index 781a88b4d..cb70ee8b1 100644 --- a/src/sfnt/ttsvg.c +++ b/src/sfnt/ttsvg.c @@ -39,11 +39,11 @@ /* NOTE: These table sizes are given by the specification. */ -#define SVG_TABLE_HEADER_SIZE 10U -#define SVG_DOCUMENT_RECORD_SIZE 12U -#define SVG_DOCUMENT_LIST_MINIMUM_SIZE 2U + SVG_DOCUMENT_RECORD_SIZE -#define SVG_MINIMUM_SIZE SVG_TABLE_HEADER_SIZE + \ - SVG_DOCUMENT_LIST_MINIMUM_SIZE +#define SVG_TABLE_HEADER_SIZE (10U) +#define SVG_DOCUMENT_RECORD_SIZE (12U) +#define SVG_DOCUMENT_LIST_MINIMUM_SIZE (2U + SVG_DOCUMENT_RECORD_SIZE) +#define SVG_MINIMUM_SIZE (SVG_TABLE_HEADER_SIZE + \ + SVG_DOCUMENT_LIST_MINIMUM_SIZE) typedef struct Svg_ |