Commit 3876846e26fdd56f4434bdabfe6722ec66a40b83

Dominik Röttsches 2022-01-11T13:40:20

[sfnt] Fix limit checks for `COLR` v1 ClipBoxes * src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Fix off-by-one in limit checks.

diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 1ff300e..50c19f7 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -857,10 +857,14 @@
 
     p = colr->clip_list;
 
+    /* limit points to the first byte after the end of the color table.        */
+    /* Thus, in subsequent limit checks below we need to check whether the     */
+    /* read pointer is strictly greater than a position offset                 */
+    /* by certain field sizes to the left of that position.                    */
     limit = (FT_Byte*)colr->table + colr->table_size;
 
     /* Check whether we can extract one `uint8` and one `uint32`. */
-    if ( p >= limit - ( 1 + 4 ) )
+    if ( p > limit - ( 1 + 4 ) )
       return 0;
 
     clip_base        = p;
@@ -876,7 +880,7 @@
     /* Check whether we can extract two `uint16` and one `Offset24`, */
     /* `num_clip_boxes` times.                                       */
     if ( colr->table_size / ( 2 + 2 + 3 ) < num_clip_boxes ||
-         p >= limit - ( 2 + 2 + 3 ) * num_clip_boxes       )
+         p > limit - ( 2 + 2 + 3 ) * num_clip_boxes        )
       return 0;
 
     for ( i = 0; i < num_clip_boxes; ++i )
@@ -890,7 +894,7 @@
         p1 = (FT_Byte*)( clip_base + clip_box_offset );
 
         /* Check whether we can extract one `uint8`. */
-        if ( p1 >= limit - 1 )
+        if ( p1 > limit - 1 )
           return 0;
 
         format = FT_NEXT_BYTE( p1 );
@@ -899,7 +903,7 @@
           return 0;
 
         /* Check whether we can extract four `FWORD`. */
-        if ( p1 >= limit - ( 2 + 2 + 2 + 2 ) )
+        if ( p1 > limit - ( 2 + 2 + 2 + 2 ) )
           return 0;
 
         /* `face->root.size->metrics.x_scale` and `y_scale` are factors   */