Commit 5b626281f1e6524dd87e3d5d6af795b39a8cc10b

Alexei Podtelezhnikov 2021-09-10T10:19:07

[truetype] Tweak `hdmx` checking. Fixes #1096. * src/truetype/ttpload.c (tt_face_load_hdmx): Account for padding.

diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
index e3b0b44..10d07f1 100644
--- a/src/truetype/ttpload.c
+++ b/src/truetype/ttpload.c
@@ -548,8 +548,8 @@
     record_size = FT_NEXT_ULONG( p );
 
     /* The maximum number of bytes in an hdmx device record is the */
-    /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus      */
-    /* explaining why `record_size' is a long (which we read as    */
+    /* maximum number of glyphs + 2 + 32-bit padding, or 0x10004,  */
+    /* that is why `record_size' is a long (which we read as       */
     /* unsigned long for convenience).  In practice, two bytes are */
     /* sufficient to hold the size value.                          */
     /*                                                             */
@@ -562,10 +562,10 @@
       record_size &= 0xFFFFU;
 
     /* The limit for `num_records' is a heuristic value. */
-    if ( num_records > 255              ||
-         ( num_records > 0            &&
-           ( record_size > 0x10001L ||
-             record_size < 4        ) ) )
+    if ( num_records > 255               ||
+         ( num_records > 0             &&
+           ( record_size > 0x10004UL ||
+             record_size & 3         ) ) )
     {
       error = FT_THROW( Invalid_File_Format );
       goto Fail;