diff options
author | Ben Wagner <bungeman@chromium.org> | 2022-01-06 12:54:15 -0500 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2022-01-06 19:13:00 +0100 |
commit | afb4ca0151959a8bedfb39a9a9140504168be7ea (patch) | |
tree | 32bef020212ed4be4958299dda771993cbb03b74 /src | |
parent | 2b672e7210a6e989aca4787fb81f4b2542bad9c1 (diff) | |
download | freetype2-afb4ca0151959a8bedfb39a9a9140504168be7ea.tar.gz |
[truetype] Reset localpoints when varying cvt.
When iterating over the cvt tuples and reading in the points it is necessary
to set all of `localpoints`, `points`, and `point_count` in all cases. The
existing code did not reset `localpoints` to `NULL` when there were no
private point numbers. If the previous tuple did have private point numbers
and set `localpoints` to `ALL_POINTS` this would not be cleared and the
wrong branch would be taken later, leading to possible heap buffer overflow.
* src/truetype/ttgxvar.c (tt_face_vary_cvt): Reset `localpoints` to `NULL`
when it isn't valid.
Fixes: https://crbug.com/1284742
Diffstat (limited to 'src')
-rw-r--r-- | src/truetype/ttgxvar.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index 7f2db0cbd..55ff152e7 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -3476,6 +3476,7 @@ } else { + localpoints = NULL; points = sharedpoints; point_count = spoint_count; } |