[sfnt] Fix CPAL heap buffer overflow.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968 * src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1 offsets.
author: Werner Lemberg <wl@gnu.org> 2018-06-19 20:09:31 +0200
committer: Werner Lemberg <wl@gnu.org> 2018-06-19 20:09:31 +0200
commit: a6b77ba2b39e379cd9295a9376fedf574a6ba15f (patch)
tree: 3f687fdf928cf7a7b708bd0b49eea908f80b6a9b
parent: 7915fd51f123d0adbe6a0b9ad19eb941e1733c87 (diff)
download: freetype2-a6b77ba2b39e379cd9295a9376fedf574a6ba15f.tar.gz
2 files changed, 14 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index af02921e7..0b2a7eeeb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2018-06-19  Werner Lemberg  <wl@gnu.org>
 
+	[sfnt] Fix CPAL heap buffer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968
+
+	* src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1
+	offsets.
+
+2018-06-19  Werner Lemberg  <wl@gnu.org>
+
 	Doh.  Don't use CPAL or COLR data if tables are missing.
 
 	Reported by Alexei.
diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c
index fc78c67be..9cdcec69c 100644
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -128,6 +128,9 @@
       FT_UShort*  q;
 
 
+      if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
+        goto InvalidTable;
+
       p += face->palette_data.num_palettes * 2;
 
       type_offset        = FT_NEXT_ULONG( p );
author	Werner Lemberg <wl@gnu.org>	2018-06-19 20:09:31 +0200
committer	Werner Lemberg <wl@gnu.org>	2018-06-19 20:09:31 +0200
commit	a6b77ba2b39e379cd9295a9376fedf574a6ba15f (patch)
tree	3f687fdf928cf7a7b708bd0b49eea908f80b6a9b
parent	7915fd51f123d0adbe6a0b9ad19eb941e1733c87 (diff)
download	freetype2-a6b77ba2b39e379cd9295a9376fedf574a6ba15f.tar.gz