From df2601395f96d5d513f15795a725abfe76214d95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= Date: Tue, 27 Sep 2022 17:50:55 +0300 Subject: [sfnt] Guard access in 'COLR' table when requesting child table pointer. * src/sfnt/ttcolr.c (tt_face_get_colorline_stops, read_paint): Tighten pointer bounds checks. (get_child_table_pointer): Check whether incoming pointer `p` lies within the 'COLR' table. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51816 --- src/sfnt/ttcolr.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 5df31b9e0..c65ca3da5 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -554,6 +554,10 @@ if ( !child_table_pointer ) return 0; + if ( *p < colr->paints_start_v1 || + *p > (FT_Byte*)colr->table + colr->table_size - 1 - 3 ) + return 0; + paint_offset = FT_NEXT_UOFF3( *p ); if ( !paint_offset ) return 0; @@ -650,8 +654,10 @@ if ( !p || !colr || !colr->table ) return 0; - if ( p < colr->paints_start_v1 || - p >= ( (FT_Byte*)colr->table + colr->table_size ) ) + /* The last byte of the 'COLR' table is at 'size-1'; subtract 1 of */ + /* that to account for the expected format byte we are going to read. */ + if ( p < colr->paints_start_v1 || + p > (FT_Byte*)colr->table + colr->table_size - 2 ) return 0; apaint->format = (FT_PaintFormat)FT_NEXT_BYTE( p ); @@ -1577,10 +1583,12 @@ if ( iterator->current_color_stop >= iterator->num_color_stops ) return 0; + /* Subtract 3 times 2 because we need to succeed in reading */ + /* three 2-byte short values. */ if ( iterator->p + - ( ( iterator->num_color_stops - iterator->current_color_stop ) * - COLOR_STOP_SIZE ) > - ( (FT_Byte *)colr->table + colr->table_size ) ) + ( iterator->num_color_stops - iterator->current_color_stop ) * + COLOR_STOP_SIZE > + (FT_Byte*)colr->table + colr->table_size - 1 - 2 - 2 - 2 ) return 0; /* Iterator points at first `ColorStop` of `ColorLine`. */ -- cgit v1.2.1