Commit 33ceac2a authored by Dominik Röttsches's avatar Dominik Röttsches Committed by Werner Lemberg
Browse files

Reject 'COLR' table if version is 1 but header too small.

* src/sfnt/ttcolr.c (tt_face_load_colr): If the version is determined to
be 1, then the table size has to be at least the size of the v1 header.
Also, for peeking the number of base glyphs and entries in the layer list,
ensure that the table is sufficiently long.

Fixes #1179.  Original patch by Sergey Temnikov.
parent a0d15364
Pipeline #690559 passed with stage
in 21 minutes and 34 seconds
......@@ -57,7 +57,11 @@
#define LAYER_V1_LIST_NUM_LAYERS_SIZE 4U
#define COLOR_STOP_SIZE 6U
#define LAYER_SIZE 4U
#define COLR_HEADER_SIZE 14U
/* https://docs.microsoft.com/en-us/typography/opentype/spec/colr#colr-header */
/* 3 * uint16 + 2 * Offset32 */
#define COLRV0_HEADER_SIZE 14U
/* COLRV0_HEADER_SIZE + 5 * Offset32 */
#define COLRV1_HEADER_SIZE 34U
#define VARIABLE_COLRV1_ENABLED \
......@@ -191,7 +195,7 @@
colr_offset_in_stream = FT_STREAM_POS();
#endif
if ( table_size < COLR_HEADER_SIZE )
if ( table_size < COLRV0_HEADER_SIZE )
goto InvalidTable;
if ( FT_FRAME_EXTRACT( table_size, table ) )
......@@ -225,9 +229,12 @@
if ( colr->version == 1 )
{
if ( table_size < COLRV1_HEADER_SIZE )
goto InvalidTable;
base_glyphs_offset_v1 = FT_NEXT_ULONG( p );
if ( base_glyphs_offset_v1 >= table_size )
if ( base_glyphs_offset_v1 + 4 >= table_size )
goto InvalidTable;
p1 = (FT_Byte*)( table + base_glyphs_offset_v1 );
......@@ -247,6 +254,9 @@
if ( layer_offset_v1 )
{
if ( layer_offset_v1 + 4 >= table_size )
goto InvalidTable;
p1 = (FT_Byte*)( table + layer_offset_v1 );
num_layers_v1 = FT_PEEK_ULONG( p1 );
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment