Avoid overflow in COLR bounds checks. (!296) · Merge requests · FreeType / FreeType

Ben Wagner requested to merge bungeman/freetype:fix_colr_overflow into master Aug 04, 2023

The values read into base_glyphs_offset_v1 and layer_offset_v1 may be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where unsigned long is 32 bits adding 4 to such values will wrap and pass bounds checks but accessing values at such offsets will be out of bounds.

On the other hand table_size has already been tested to be at least COLRV1_HEADER_SIZE (34) so it is safe to subtract 4 from it.

src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from table_size instead of adding 4 to font data offsets in bounds checks

Fixes: https://crbug.com/1469348

Avoid overflow in COLR bounds checks.

Merge request reports