diff options
author | Dominik Röttsches <drott@chromium.org> | 2021-06-08 14:29:11 +0300 |
---|---|---|
committer | Dominik Röttsches <drott@chromium.org> | 2021-06-08 14:29:11 +0300 |
commit | ee6d03d369e78812dc753c55a85226af343b845e (patch) | |
tree | 3426fe09bc484cfed96ffb893b46b73de3439890 | |
parent | 41fa19fceaba5f8588456472f0990664115062f5 (diff) | |
download | freetype2-ee6d03d369e78812dc753c55a85226af343b845e.tar.gz |
[sfnt] Pointer validity check when reading COLR 'v1' layers
* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
existing sanity checks, ensure that the pointer to the layer to be
read is within the 'COLR' v1 table.
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | src/sfnt/ttcolr.c | 7 |
2 files changed, 15 insertions, 0 deletions
@@ -1,3 +1,11 @@ +2021-06-08 Dominik Röttsches <drott@chromium.org> + + [sfnt] Pointer validity check when reading COLR 'v1' layers + + * src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the + existing sanity checks, ensure that the pointer to the layer to be + read is within the 'COLR' v1 table. + 2021-06-08 Werner Lemberg <wl@gnu.org> * src/sdf/ftsdfcommon.c: Fix inclusion of header files. diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index fa58a90a3..c3f225d66 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -702,6 +702,13 @@ p = iterator->p; /* + * First ensure that p is within COLRv1. + */ + if ( p < colr->base_glyphs_v1 || + p >= ( (FT_Byte*)colr->table + colr->table_size ) ) + return 0; + + /* * Do a cursor sanity check of the iterator. Counting backwards from * where it stands, we need to end up at a position after the beginning * of the `LayerV1List` table and not after the end of the |