Commit df2601395f96d5d513f15795a725abfe76214d95
2022-09-27T17:50:55
[sfnt] Guard access in 'COLR' table when requesting child table pointer. * src/sfnt/ttcolr.c (tt_face_get_colorline_stops, read_paint): Tighten pointer bounds checks. (get_child_table_pointer): Check whether incoming pointer `p` lies within the 'COLR' table. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51816
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 5df31b9..c65ca3d 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -554,6 +554,10 @@
if ( !child_table_pointer )
return 0;
+ if ( *p < colr->paints_start_v1 ||
+ *p > (FT_Byte*)colr->table + colr->table_size - 1 - 3 )
+ return 0;
+
paint_offset = FT_NEXT_UOFF3( *p );
if ( !paint_offset )
return 0;
@@ -650,8 +654,10 @@
if ( !p || !colr || !colr->table )
return 0;
- if ( p < colr->paints_start_v1 ||
- p >= ( (FT_Byte*)colr->table + colr->table_size ) )
+ /* The last byte of the 'COLR' table is at 'size-1'; subtract 1 of */
+ /* that to account for the expected format byte we are going to read. */
+ if ( p < colr->paints_start_v1 ||
+ p > (FT_Byte*)colr->table + colr->table_size - 2 )
return 0;
apaint->format = (FT_PaintFormat)FT_NEXT_BYTE( p );
@@ -1577,10 +1583,12 @@
if ( iterator->current_color_stop >= iterator->num_color_stops )
return 0;
+ /* Subtract 3 times 2 because we need to succeed in reading */
+ /* three 2-byte short values. */
if ( iterator->p +
- ( ( iterator->num_color_stops - iterator->current_color_stop ) *
- COLOR_STOP_SIZE ) >
- ( (FT_Byte *)colr->table + colr->table_size ) )
+ ( iterator->num_color_stops - iterator->current_color_stop ) *
+ COLOR_STOP_SIZE >
+ (FT_Byte*)colr->table + colr->table_size - 1 - 2 - 2 - 2 )
return 0;
/* Iterator points at first `ColorStop` of `ColorLine`. */