diff options
author | Werner Lemberg <wl@gnu.org> | 2022-03-17 19:24:16 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-03 10:08:13 +0000 |
commit | cae6077cad770c5d1297a518a19d0b7157d927d9 (patch) | |
tree | 8288e47e6f308c3278fd2cab4a90cf47e3d6dd57 | |
parent | dfede62a6e14e64c839acaee5f6790fd311e052f (diff) | |
download | qtwebengine-chromium-cae6077cad770c5d1297a518a19d0b7157d927d9.tar.gz |
[Backport] CVE-2022-27404
Cherry-pick of patch originally submitted on
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db:
Avoid invalid face index.
Fixes #1138.
* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
Check `face_index` before decrementing.
Change-Id: I1744d27542fc2dd17dada37fa0ade09a0b818b65
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/freetype/src/src/sfnt/sfobjs.c | 2 | ||||
-rw-r--r-- | chromium/third_party/freetype/src/src/sfnt/sfwoff2.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/chromium/third_party/freetype/src/src/sfnt/sfobjs.c b/chromium/third_party/freetype/src/src/sfnt/sfobjs.c index cf730717eb0..553d5e85232 100644 --- a/chromium/third_party/freetype/src/src/sfnt/sfobjs.c +++ b/chromium/third_party/freetype/src/src/sfnt/sfobjs.c @@ -553,7 +553,7 @@ face_index = FT_ABS( face_instance_index ) & 0xFFFF; /* value -(N+1) requests information on index N */ - if ( face_instance_index < 0 ) + if ( face_instance_index < 0 && face_index > 0 ) face_index--; if ( face_index >= face->ttc_header.count ) diff --git a/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c b/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c index df04072382e..75c0ffb0d77 100644 --- a/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c +++ b/chromium/third_party/freetype/src/src/sfnt/sfwoff2.c @@ -2102,7 +2102,7 @@ /* Validate requested face index. */ *num_faces = woff2.num_fonts; /* value -(N+1) requests information on index N */ - if ( *face_instance_index < 0 ) + if ( *face_instance_index < 0 && face_index > 0 ) face_index--; if ( face_index >= woff2.num_fonts ) |