[sfnt] Fix heap buffer overflow in CPAL handling. * src/sfnt/ttcpal.c (tt_face_palette_set): Fix boundary test. (tt_face_load_cpal): Updated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
diff --git a/ChangeLog b/ChangeLog
index a748921..0e40b16 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-09-03 Werner Lemberg <wl@gnu.org>
+
+ [sfnt] Fix heap buffer overflow in CPAL handling.
+
+ * src/sfnt/ttcpal.c (tt_face_palette_set): Fix boundary test.
+ (tt_face_load_cpal): Updated.
+
2018-09-01 Werner Lemberg <wl@gnu.org>
Remove `FT_Outline_{New,Done}_Internal'.
diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c
index be1b004..9852243 100644
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -220,7 +220,8 @@
face->palette_data.num_palette_entries ) )
goto NoCpal;
- tt_face_palette_set( face, 0 );
+ if ( tt_face_palette_set( face, 0 ) )
+ goto InvalidTable;
return FT_Err_Ok;
@@ -231,6 +232,8 @@
FT_FRAME_RELEASE( table );
FT_FREE( cpal );
+ face->cpal = NULL;
+
/* arrays in `face->palette_data' and `face->palette' */
/* are freed in `sfnt_done_face' */
@@ -267,20 +270,20 @@
FT_Color* q;
FT_Color* limit;
- FT_ULong record_offset;
+ FT_UShort color_index;
if ( !cpal || palette_index >= face->palette_data.num_palettes )
return FT_THROW( Invalid_Argument );
- offset = cpal->color_indices + 2 * palette_index;
- record_offset = COLOR_SIZE * FT_PEEK_USHORT( offset );
+ offset = cpal->color_indices + 2 * palette_index;
+ color_index = FT_PEEK_USHORT( offset );
- if ( record_offset + COLOR_SIZE * face->palette_data.num_palette_entries >
- cpal->table_size )
+ if ( color_index + face->palette_data.num_palette_entries >
+ cpal->num_colors )
return FT_THROW( Invalid_Table );
- p = cpal->colors + record_offset;
+ p = cpal->colors + COLOR_SIZE * color_index;
q = face->palette;
limit = q + face->palette_data.num_palette_entries;