[svg] Add document bounds checking (!203) · Merge requests · FreeType / FreeType

Ben Wagner requested to merge bungeman/freetype:svg_document_content_check into master Sep 26, 2022

Add a check that the document content is actually contained within the SVG table. Without this check a malformed font may claim arbitrary memory as its document content.

src/sfnt/ttsvg.c (tt_face_load_svg): take numEntries into account when testing documentRecord extents. (find_doc): rename stream to document_records for clarity. (tt_face_load_svg_doc): split doc from doc_list pointer for clarity. Test that the document content is contained within the table. Ensure minimum length of document before testing for gzip format.

Reported as:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812

Edited Sep 26, 2022 by Ben Wagner

Admin message

Admin message

[svg] Add document bounds checking

Merge request reports