kc3-lang/freetype

Browse

Commit a6b77ba2b39e379cd9295a9376fedf574a6ba15f

Werner Lemberg 2018-06-19T20:09:31

[sfnt] Fix CPAL heap buffer overflow. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968 * src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1 offsets. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

diff --git a/ChangeLog b/ChangeLog
index af02921..0b2a7ee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2018-06-19  Werner Lemberg  <wl@gnu.org>
 
+	[sfnt] Fix CPAL heap buffer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968
+
+	* src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1
+	offsets.
+
+2018-06-19  Werner Lemberg  <wl@gnu.org>
+
 	Doh.  Don't use CPAL or COLR data if tables are missing.
 
 	Reported by Alexei.
diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c
index fc78c67..9cdcec6 100644
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -128,6 +128,9 @@
       FT_UShort*  q;
 
 
+      if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
+        goto InvalidTable;
+
       p += face->palette_data.num_palettes * 2;
 
       type_offset        = FT_NEXT_ULONG( p );
kmx.io     mail     discord kmxgit v0.4.0