freetype-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ft-devel] [freetype2] GSoC-2019-moazin 8887048: Performs basic to s


From: Behdad Esfahbod
Subject: Re: [ft-devel] [freetype2] GSoC-2019-moazin 8887048: Performs basic to see if SVG data is valid or not.
Date: Mon, 29 Jul 2019 12:59:40 -0700

Why?

On Mon, Jul 29, 2019 at 12:41 PM Moazin Khatti <address@hidden> wrote:
branch: GSoC-2019-moazin
commit 8887048557db93857ffa6169cfe4c3190f9cb1a1
Author: Moazin Khatti <address@hidden>
Commit: Moazin Khatti <address@hidden>

    Performs basic to see if SVG data is valid or not.
---
 src/sfnt/ttsvg.c | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c
index f4a85ca..223eb88 100644
--- a/src/sfnt/ttsvg.c
+++ b/src/sfnt/ttsvg.c
@@ -35,6 +35,24 @@

 #include "ttsvg.h"

+/* SVG table looks like:
+ * --------------------------------------
+ * Bytes:         Field                 |
+ * --------------------------------------
+ * 2              version
+ * 4              offsetToSVGDocumentList
+ * 4              reserved
+ * 2              numEntries (non-zero)
+ * 12*numEntries  documentList
+ *
+ * Since numEntries must be at least one, minimum
+ * size of SVG table is 24. Everything apart from
+ * the documentList makes 12 bytes.
+ */
+
+#define  SVG_HEADER_BASE_SIZE 12
+#define  SVG_HEADER_MIN_SIZE  24
+
   /* TODO: (OT-SVG) Decide whether to add documentation here or not */

   typedef struct Svg_
@@ -69,6 +87,9 @@
     if( error )
       goto NoSVG;

+    if ( table_size < SVG_HEADER_MIN_SIZE )
+      goto InvalidTable;
+
     if( FT_FRAME_EXTRACT( table_size, table ))
       goto NoSVG;

@@ -77,7 +98,14 @@
       goto NoSVG;

     p = table;
-    svg->version =            FT_NEXT_USHORT( p );
+    svg->version = FT_NEXT_USHORT( p );
+
+    /* At the time of writing this, only version 0 exists,
+     * and only that is supported by FreeType
+     */
+    if ( svg->version != 0 )
+      goto InvalidTable;
+
     offsetToSVGDocumentList = FT_NEXT_ULONG( p );

     if( offsetToSVGDocumentList == 0 )
@@ -88,6 +116,9 @@
     p = svg->svg_doc_list;
     svg->num_entries = FT_NEXT_USHORT( p );

+    if ( ( svg->num_entries*12 + SVG_HEADER_BASE_SIZE ) > table_size )
+      goto InvalidTable;
+
     FT_TRACE3(( "version: %d\n", svg->version ));
     FT_TRACE3(( "num entiries: %d\n", svg->num_entries ));

@@ -244,7 +275,10 @@
       *doc_length = mid_doc.length;
       *start_glyph = mid_doc.start_glyph_id;
       *end_glyph   = mid_doc.end_glyph_id;
-      error = FT_Err_Ok;
+      if ( *doc_length == 0 )
+        error = FT_THROW( Invalid_SVG_Document );
+      else
+        error = FT_Err_Ok;
     }
     return error;
   }



--
behdad
http://behdad.org/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]