[colr] Avoid overflow in range checks (!324) · Merge requests · FreeType / FreeType

Ben Wagner requested to merge bungeman/freetype:fix_colr_overflow_in_range_checks into master May 07, 2024

In 32 bit builds FT_ULong is 32 bits and can silently overflow when a large number is read into one and then it is summed or multiplied with another number. Checks for range overflow must be written so that they themselves do not overflow. Also ensure that the table_size is always the first part of the range check and consistently use < or <=.

src/sfnt/ttcolr.c (tt_face_load_colr): avoid overflow (find_base_glyph_v1_record): remove old work-around

Bug: https://issues.chromium.org/issues/41495455 Bug: https://issues.chromium.org/issues/40945818

Admin message

Admin message

[colr] Avoid overflow in range checks

Merge request reports