Commit 0767d5362fdc2d14de842b264f24a6cb91d45d55
2018-07-05T23:05:53
Adjust table size comparisons (#54242). * src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
diff --git a/ChangeLog b/ChangeLog
index 0bcdb95..f193f6f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2018-07-05 Werner Lemberg <wl@gnu.org>
+ Adjust table size comparisons (#54242).
+
+ * src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it.
+
+2018-07-05 Werner Lemberg <wl@gnu.org>
+
Fix more 32bit issues (#54208)
* src/cff/cffload.c (cff_blend_build_vector): Convert assertion into
diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c
index f01d88c..b4b60e2 100644
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -112,6 +112,10 @@
cpal->num_colors = FT_NEXT_USHORT( p );
colors_offset = FT_NEXT_ULONG( p );
+ if ( CPAL_V0_HEADER_BASE_SIZE +
+ face->palette_data.num_palettes * 2U > table_size )
+ goto InvalidTable;
+
if ( colors_offset >= table_size )
goto InvalidTable;
if ( cpal->num_colors * COLOR_SIZE > table_size - colors_offset )
@@ -128,7 +132,9 @@
FT_UShort* q;
- if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
+ if ( CPAL_V0_HEADER_BASE_SIZE +
+ face->palette_data.num_palettes * 2U +
+ 3U * 4 > table_size )
goto InvalidTable;
p += face->palette_data.num_palettes * 2;