summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWerner Lemberg <wl@gnu.org>2018-07-05 23:05:53 +0200
committerWerner Lemberg <wl@gnu.org>2018-07-05 23:05:53 +0200
commit0767d5362fdc2d14de842b264f24a6cb91d45d55 (patch)
treee409bd02f4d2a70c05dcc09acfdb192174ccad56
parent6ceeb87f5dd1cb61aa9618bc6296ca917980b0e7 (diff)
downloadfreetype2-0767d5362fdc2d14de842b264f24a6cb91d45d55.tar.gz
Adjust table size comparisons (#54242).
* src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it.
Diffstat
-rw-r--r--ChangeLog6
-rw-r--r--src/sfnt/ttcpal.c8
2 files changed, 13 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 0bcdb95d8..f193f6f55 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2018-07-05 Werner Lemberg <wl@gnu.org>
+ Adjust table size comparisons (#54242).
+
+ * src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it.
+
+2018-07-05 Werner Lemberg <wl@gnu.org>
+
Fix more 32bit issues (#54208)
* src/cff/cffload.c (cff_blend_build_vector): Convert assertion into
diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c
index f01d88c63..b4b60e22a 100644
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -112,6 +112,10 @@
cpal->num_colors = FT_NEXT_USHORT( p );
colors_offset = FT_NEXT_ULONG( p );
+ if ( CPAL_V0_HEADER_BASE_SIZE +
+ face->palette_data.num_palettes * 2U > table_size )
+ goto InvalidTable;
+
if ( colors_offset >= table_size )
goto InvalidTable;
if ( cpal->num_colors * COLOR_SIZE > table_size - colors_offset )
@@ -128,7 +132,9 @@
FT_UShort* q;
- if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
+ if ( CPAL_V0_HEADER_BASE_SIZE +
+ face->palette_data.num_palettes * 2U +
+ 3U * 4 > table_size )
goto InvalidTable;
p += face->palette_data.num_palettes * 2;
View Lorry Controller Status