Author :
Ben Wagner
Date :
2022-09-26 14:46:42
Hash :bd417007 Message :[sfnt] Add SVG document bounds checking.
Add a check that the document content is actually contained within the
`SVG ` table. Without this check a malformed font may claim arbitrary
memory as its document content.
* src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when
testing 'documentRecord' extents.
(find_doc): Rename `stream` to `document_records` for clarity.
(tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity.
Test that the document content is contained within the table.
Ensure minimum length of document before testing for gzip format.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812
Ben Wagner