diff options
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | src/sfnt/ttcmap.c | 10 |
2 files changed, 19 insertions, 0 deletions
@@ -1,3 +1,12 @@ +2021-06-08 Werner Lemberg <wl@gnu.org> + + [sfnt] Sanitize cmap4 table better. + + Fixes #1062. + + * src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of + `length` gracefully. + 2021-06-08 Dominik Röttsches <drott@chromium.org> [sfnt] Pointer validity check when reading COLR 'v1' layers diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 45d9f92f9..b369d8378 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -916,6 +916,16 @@ length = (FT_UInt)( valid->limit - table ); } + /* it also happens that the `length' field is too small; */ + /* this is easy to correct */ + if ( length < (FT_UInt)( valid->limit - table ) ) + { + if ( valid->level >= FT_VALIDATE_PARANOID ) + FT_INVALID_DATA; + + length = (FT_UInt)( valid->limit - table ); + } + if ( length < 16 ) FT_INVALID_TOO_SHORT; |