diff options
| author | =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org> | 2022-10-18 14:45:43 +0300 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-11-21 12:22:11 +0000 |
| commit | 5e7f517eade60dd5f9409f32a44a8c5f897bb8c1 (patch) | |
| tree | 5fa50df6bcd990115101429959f56b2bbac9d638 | |
| parent | b0e254ef605f70df3beb6148c88b5ab178ba1f14 (diff) | |
| download | qtwebengine-chromium-5e7f517eade60dd5f9409f32a44a8c5f897bb8c1.tar.gz | |
[Backport] Security bug 1375290 (2/2)
Manual backport of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/merge_requests/216/commits:
[sfnt] Additional bounds checks in `COLR` v1.
* src/sfnt/ttcolr.c (read_paint): Use new ENSURE_READ_BYTES macro,
ensure that 3 bytes can be read.
(tt_face_get_paint_layers): Ensure that the 4-byte paint table
offset can be read.
Follow up to !124 and issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404
Change-Id: I800ff5a6ada85246e6fc2076b6576b3602b7293b
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/443049
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/freetype/src/src/sfnt/ttcolr.c | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/chromium/third_party/freetype/src/src/sfnt/ttcolr.c b/chromium/third_party/freetype/src/src/sfnt/ttcolr.c index 95ad567c861..e956db78b06 100644 --- a/chromium/third_party/freetype/src/src/sfnt/ttcolr.c +++ b/chromium/third_party/freetype/src/src/sfnt/ttcolr.c @@ -386,12 +386,14 @@ static FT_Bool - read_color_line( FT_Byte* color_line_p, + read_color_line( Colr* colr, + FT_Byte* color_line_p, FT_ColorLine *colorline ) { FT_Byte* p = color_line_p; FT_PaintExtend paint_extend; + ENSURE_READ_BYTES( 3 ); paint_extend = (FT_PaintExtend)FT_NEXT_BYTE( p ); if ( paint_extend > FT_COLR_PAINT_EXTEND_REFLECT ) @@ -526,7 +528,8 @@ if ( apaint->format == FT_COLR_PAINTFORMAT_LINEAR_GRADIENT ) { - if ( !read_color_line( child_table_p, + if ( !read_color_line( colr, + child_table_p, &apaint->u.linear_gradient.colorline ) ) return 0; @@ -551,7 +554,8 @@ FT_Pos tmp; - if ( !read_color_line( child_table_p, + if ( !read_color_line( colr, + child_table_p, &apaint->u.radial_gradient.colorline ) ) return 0; @@ -579,7 +583,8 @@ else if ( apaint->format == FT_COLR_PAINTFORMAT_SWEEP_GRADIENT ) { - if ( !read_color_line( child_table_p, + if ( !read_color_line( colr, + child_table_p, &apaint->u.sweep_gradient.colorline ) ) return 0; @@ -1035,13 +1040,6 @@ p = iterator->p; /* - * First ensure that p is within COLRv1. - */ - if ( p < colr->layers_v1 || - p >= ( (FT_Byte*)colr->table + colr->table_size ) ) - return 0; - - /* * Do a cursor sanity check of the iterator. Counting backwards from * where it stands, we need to end up at a position after the beginning * of the `LayerV1List` table and not after the end of the @@ -1057,6 +1055,14 @@ colr->num_layers_v1 * LAYER_V1_LIST_PAINT_OFFSET_SIZE ) ) return 0; + /* + * Before reading, ensure that p is within COLRv1 and we can read a 4-byte + * ULONG. + */ + if ( p < colr->layers_v1 || + p > ( (FT_Byte*)colr->table + colr->table_size - 4 ) ) + return 0; + paint_offset = FT_NEXT_ULONG( p ); opaque_paint->insert_root_transform = |