[sfnt] Fix bounds check in SVG. (!145) · Merge requests · FreeType / FreeType

Ben Wagner requested to merge bungeman/freetype:svg_macros_in_parens into master Mar 03, 2022

The SVG_DOCUMENT_LIST_MINIMUM_SIZE macro is non trivial and not protected by parentheses. As a result, the expression table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE expands to table_size - 2U + SVG_DOCUMENT_RECORD_SIZE instead of the expected table_size - (2U + SVG_DOCUMENT_RECORD_SIZE). This causes an incorrect bounds check which may lead to reading past the end of the SVG table.

src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in parentheses.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179

[sfnt] Fix bounds check in SVG.

Merge request reports