Skip to content
Commit 3829fdaa authored by Ben Wagner's avatar Ben Wagner
Browse files

Avoid overflow in COLR bounds checks. 

The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may
be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long`
is 32 bits adding 4 to such values will wrap and pass bounds checks but
accessing values at such offsets will be out of bounds.

On the other hand `table_size` has already been tested to be at least
`COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it.

* src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size`
instead of adding 4 to font data offsets in bounds checks

Fixes: https://crbug.com/1469348
parent 95a87208
Pipeline #952730 passed with stage
in 7 minutes and 20 seconds
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment