[Git][freetype/freetype][master] Avoid overflow in COLR bounds checks.

Ben Wagner pushed to branch master at FreeType / FreeType

Commits:

3829fdaa

by Ben Wagner at 2023-08-04T11:41:23-04:00

Avoid overflow in COLR bounds checks.

The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may
be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long`
is 32 bits adding 4 to such values will wrap and pass bounds checks but
accessing values at such offsets will be out of bounds.

On the other hand `table_size` has already been tested to be at least
`COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it.

* src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size`
instead of adding 4 to font data offsets in bounds checks

Fixes: https://crbug.com/1469348

1 changed file:

src/sfnt/ttcolr.c

Changes:

src/sfnt/ttcolr.c

@@ -229,7 +229,7 @@
        base_glyphs_offset_v1 = FT_NEXT_ULONG( p );
 -      if ( base_glyphs_offset_v1 + 4 >= table_size )
 +      if ( base_glyphs_offset_v1 >= table_size - 4 )
          goto InvalidTable;
        p1                 = (FT_Byte*)( table + base_glyphs_offset_v1 );
@@ -249,7 +249,7 @@
        if ( layer_offset_v1 )
+       {
 -        if ( layer_offset_v1 + 4 >= table_size )
 +        if ( layer_offset_v1 >= table_size - 4 )
            goto InvalidTable;
          p1            = (FT_Byte*)( table + layer_offset_v1 );

From:	Ben Wagner (@bungeman)
Subject:	[Git][freetype/freetype][master] Avoid overflow in COLR bounds checks.
Date:	Fri, 04 Aug 2023 18:24:25 +0000