diff options
| -rw-r--r-- | src/sfnt/ttcolr.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index b43216181..5df31b9e0 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -57,7 +57,11 @@ #define LAYER_V1_LIST_NUM_LAYERS_SIZE 4U #define COLOR_STOP_SIZE 6U #define LAYER_SIZE 4U -#define COLR_HEADER_SIZE 14U +/* https://docs.microsoft.com/en-us/typography/opentype/spec/colr#colr-header */ +/* 3 * uint16 + 2 * Offset32 */ +#define COLRV0_HEADER_SIZE 14U +/* COLRV0_HEADER_SIZE + 5 * Offset32 */ +#define COLRV1_HEADER_SIZE 34U #define VARIABLE_COLRV1_ENABLED \ @@ -191,7 +195,7 @@ colr_offset_in_stream = FT_STREAM_POS(); #endif - if ( table_size < COLR_HEADER_SIZE ) + if ( table_size < COLRV0_HEADER_SIZE ) goto InvalidTable; if ( FT_FRAME_EXTRACT( table_size, table ) ) @@ -225,9 +229,12 @@ if ( colr->version == 1 ) { + if ( table_size < COLRV1_HEADER_SIZE ) + goto InvalidTable; + base_glyphs_offset_v1 = FT_NEXT_ULONG( p ); - if ( base_glyphs_offset_v1 >= table_size ) + if ( base_glyphs_offset_v1 + 4 >= table_size ) goto InvalidTable; p1 = (FT_Byte*)( table + base_glyphs_offset_v1 ); @@ -247,6 +254,9 @@ if ( layer_offset_v1 ) { + if ( layer_offset_v1 + 4 >= table_size ) + goto InvalidTable; + p1 = (FT_Byte*)( table + layer_offset_v1 ); num_layers_v1 = FT_PEEK_ULONG( p1 ); |