diff options
author | Dominik Röttsches <drott@chromium.org> | 2022-01-11 13:40:20 +0200 |
---|---|---|
committer | Dominik Röttsches <drott@chromium.org> | 2022-01-11 13:40:20 +0200 |
commit | 3876846e26fdd56f4434bdabfe6722ec66a40b83 (patch) | |
tree | 9980ac45036fbc6cebd57cc894e4f5b514ae47b9 | |
parent | d0cfb4e1b227ce088181627b07619ee08fe6a073 (diff) | |
download | freetype2-3876846e26fdd56f4434bdabfe6722ec66a40b83.tar.gz |
[sfnt] Fix limit checks for `COLR` v1 ClipBoxes
* src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Fix off-by-one in
limit checks.
-rw-r--r-- | src/sfnt/ttcolr.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 1ff300ede..50c19f71d 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -857,10 +857,14 @@ p = colr->clip_list; + /* limit points to the first byte after the end of the color table. */ + /* Thus, in subsequent limit checks below we need to check whether the */ + /* read pointer is strictly greater than a position offset */ + /* by certain field sizes to the left of that position. */ limit = (FT_Byte*)colr->table + colr->table_size; /* Check whether we can extract one `uint8` and one `uint32`. */ - if ( p >= limit - ( 1 + 4 ) ) + if ( p > limit - ( 1 + 4 ) ) return 0; clip_base = p; @@ -876,7 +880,7 @@ /* Check whether we can extract two `uint16` and one `Offset24`, */ /* `num_clip_boxes` times. */ if ( colr->table_size / ( 2 + 2 + 3 ) < num_clip_boxes || - p >= limit - ( 2 + 2 + 3 ) * num_clip_boxes ) + p > limit - ( 2 + 2 + 3 ) * num_clip_boxes ) return 0; for ( i = 0; i < num_clip_boxes; ++i ) @@ -890,7 +894,7 @@ p1 = (FT_Byte*)( clip_base + clip_box_offset ); /* Check whether we can extract one `uint8`. */ - if ( p1 >= limit - 1 ) + if ( p1 > limit - 1 ) return 0; format = FT_NEXT_BYTE( p1 ); @@ -899,7 +903,7 @@ return 0; /* Check whether we can extract four `FWORD`. */ - if ( p1 >= limit - ( 2 + 2 + 2 + 2 ) ) + if ( p1 > limit - ( 2 + 2 + 2 + 2 ) ) return 0; /* `face->root.size->metrics.x_scale` and `y_scale` are factors */ |