diff options
author | Werner Lemberg <wl@gnu.org> | 2018-07-05 23:05:53 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2018-07-05 23:05:53 +0200 |
commit | 0767d5362fdc2d14de842b264f24a6cb91d45d55 (patch) | |
tree | e409bd02f4d2a70c05dcc09acfdb192174ccad56 | |
parent | 6ceeb87f5dd1cb61aa9618bc6296ca917980b0e7 (diff) | |
download | freetype2-0767d5362fdc2d14de842b264f24a6cb91d45d55.tar.gz |
Adjust table size comparisons (#54242).
* src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | src/sfnt/ttcpal.c | 8 |
2 files changed, 13 insertions, 1 deletions
@@ -1,5 +1,11 @@ 2018-07-05 Werner Lemberg <wl@gnu.org> + Adjust table size comparisons (#54242). + + * src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it. + +2018-07-05 Werner Lemberg <wl@gnu.org> + Fix more 32bit issues (#54208) * src/cff/cffload.c (cff_blend_build_vector): Convert assertion into diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c index f01d88c63..b4b60e22a 100644 --- a/src/sfnt/ttcpal.c +++ b/src/sfnt/ttcpal.c @@ -112,6 +112,10 @@ cpal->num_colors = FT_NEXT_USHORT( p ); colors_offset = FT_NEXT_ULONG( p ); + if ( CPAL_V0_HEADER_BASE_SIZE + + face->palette_data.num_palettes * 2U > table_size ) + goto InvalidTable; + if ( colors_offset >= table_size ) goto InvalidTable; if ( cpal->num_colors * COLOR_SIZE > table_size - colors_offset ) @@ -128,7 +132,9 @@ FT_UShort* q; - if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size ) + if ( CPAL_V0_HEADER_BASE_SIZE + + face->palette_data.num_palettes * 2U + + 3U * 4 > table_size ) goto InvalidTable; p += face->palette_data.num_palettes * 2; |