diff options
author | Werner Lemberg <wl@gnu.org> | 2018-06-19 20:09:31 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2018-06-19 20:09:31 +0200 |
commit | a6b77ba2b39e379cd9295a9376fedf574a6ba15f (patch) | |
tree | 3f687fdf928cf7a7b708bd0b49eea908f80b6a9b | |
parent | 7915fd51f123d0adbe6a0b9ad19eb941e1733c87 (diff) | |
download | freetype2-a6b77ba2b39e379cd9295a9376fedf574a6ba15f.tar.gz |
[sfnt] Fix CPAL heap buffer overflow.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968
* src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1
offsets.
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | src/sfnt/ttcpal.c | 3 |
2 files changed, 14 insertions, 0 deletions
@@ -1,5 +1,16 @@ 2018-06-19 Werner Lemberg <wl@gnu.org> + [sfnt] Fix CPAL heap buffer overflow. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968 + + * src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1 + offsets. + +2018-06-19 Werner Lemberg <wl@gnu.org> + Doh. Don't use CPAL or COLR data if tables are missing. Reported by Alexei. diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c index fc78c67be..9cdcec69c 100644 --- a/src/sfnt/ttcpal.c +++ b/src/sfnt/ttcpal.c @@ -128,6 +128,9 @@ FT_UShort* q; + if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size ) + goto InvalidTable; + p += face->palette_data.num_palettes * 2; type_offset = FT_NEXT_ULONG( p ); |