[Git][freetype/freetype][master] [sfnt] Fix color stop bounds check calculation at table end.

[Werner Lemberg (@wl)]

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

• 63f37136
  by Dominik Röttsches at 2023-01-05T09:35:32+01:00

  [sfnt] Fix color stop bounds check calculation at table end.
  
  Fixes https://bugs.chromium.org/p/skia/issues/detail?id=14021
  
  * src/sfnt/ttcolr.c (VAR_IDX_BASE_SIZE): New macro.
  (tt_face_get_colorline_stops): Fix off-by-one bounds check calculation, take
  `VarColorStop` into account, and hopefully make it easier to read.
  

1 changed file:

• src/sfnt/ttcolr.c

Changes:

src/sfnt/ttcolr.c

---

...	...	@@ -56,6 +56,7 @@
56	56	#define LAYER_V1_LIST_PAINT_OFFSET_SIZE 4U
57	57	#define LAYER_V1_LIST_NUM_LAYERS_SIZE 4U
58	58	#define COLOR_STOP_SIZE 6U
	59	+#define VAR_IDX_BASE_SIZE 4U
59	60	#define LAYER_SIZE 4U
60	61	/* https://docs.microsoft.com/en-us/typography/opentype/spec/colr#colr-header */
61	62	/* 3 * uint16 + 2 * Offset32 */
...	...	@@ -1618,20 +1619,29 @@
1618	1619
1619	1620	FT_Byte* p;
1620	1621	FT_ULong var_index_base;
	1622	+ FT_Byte* last_entry_p = NULL;
	1623	+ FT_UInt entry_size = COLOR_STOP_SIZE;
1621	1624
1622	1625
1623		- if ( !colr || !colr->table )
	1626	+ if ( !colr || !colr->table || !iterator )
1624	1627	return 0;
1625	1628
1626	1629	if ( iterator->current_color_stop >= iterator->num_color_stops )
1627	1630	return 0;
1628	1631
1629		- /* Subtract 3 times 2 because we need to succeed in reading */
1630		- /* three 2-byte short values. */
1631		- if ( iterator->p +
1632		- ( iterator->num_color_stops - iterator->current_color_stop ) *
1633		- COLOR_STOP_SIZE >
1634		- (FT_Byte*)colr->table + colr->table_size - 1 - 2 - 2 - 2 )
	1632	+ if ( iterator->read_variable )
	1633	+ entry_size += VAR_IDX_BASE_SIZE;
	1634	+
	1635	+ /* Calculate the start pointer for the last to-be-read (Var)ColorStop */
	1636	+ /* and check whether we can read a full (Var)ColorStop at that */
	1637	+ /* position by comparing it to the position that is the size of one */
	1638	+ /* (Var)ColorStop before the end of the 'COLR' table. */
	1639	+ last_entry_p =
	1640	+ iterator->p + ( iterator->num_color_stops - 1 -
	1641	+ iterator->current_color_stop ) * entry_size;
	1642	+ if ( iterator->p < colr->paints_start_v1 ||
	1643	+ last_entry_p > (FT_Byte*)colr->table +
	1644	+ colr->table_size - entry_size )
1635	1645	return 0;
1636	1646
1637	1647	/* Iterator points at first `ColorStop` of `ColorLine`. */

—
View it on GitLab.
You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help