diff options
author | Werner Lemberg <wl@gnu.org> | 2020-10-28 13:34:52 +0100 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2020-10-28 13:34:52 +0100 |
commit | 804e625def2cfb64ef2f4c8877cd3fa11e86e208 (patch) | |
tree | aa9b0a43d4d36cab4ade1307e1c102acc55f8270 | |
parent | 40c5681ab92e7db1298273ccf3c816e6a1498260 (diff) | |
download | freetype2-804e625def2cfb64ef2f4c8877cd3fa11e86e208.tar.gz |
[truetype] Minor update to forthcoming OpenType 1.8.4 standard.
* src/truetype/ttgxvar.c (ft_var_load_item_variation_store): Limit
size of `regionCount`.
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | src/truetype/ttgxvar.c | 9 |
2 files changed, 16 insertions, 0 deletions
@@ -1,3 +1,10 @@ +2020-10-28 Werner Lemberg <wl@gnu.org> + + [truetype] Minor update to forthcoming OpenType 1.8.4 standard. + + * src/truetype/ttgxvar.c (ft_var_load_item_variation_store): Limit + size of `regionCount`. + 2020-10-26 Werner Lemberg <wl@gnu.org> * meson.build: Fix 'harfbuzz' and 'brotli' build options (#59347). diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index b462263de..53b0cc26f 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -493,6 +493,15 @@ goto Exit; } + /* new constraint in OpenType 1.8.4 */ + if ( itemStore->regionCount >= 32768U ) + { + FT_TRACE2(( "ft_var_load_item_variation_store:" + " too many variation region tables\n" )); + error = FT_THROW( Invalid_Table ); + goto Exit; + } + if ( FT_NEW_ARRAY( itemStore->varRegionList, itemStore->regionCount ) ) goto Exit; |