kc3-lang/freetype

Browse

Commit df2cf43e94fcf43d2d4b7574495eb3a0a9d5858a

Werner Lemberg 2016-12-16T11:38:20

[truetype] Fix `cvar' sanity test. Reported by Dave Arnold. * src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

diff --git a/ChangeLog b/ChangeLog
index 8fed6a2..b89a082 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2016-12-16  Werner Lemberg  <wl@gnu.org>
 
+	[truetype] Fix `cvar' sanity test.
+
+	Reported by Dave Arnold.
+
+	* src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.
+
+2016-12-16  Werner Lemberg  <wl@gnu.org>
+
 	[cff, truetype] Remove compiler warnings; fix `make multi'.
 
 	* src/cff/cf2font.h: Include `cffload.h'.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index dae0cb7..12a3160 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2020,7 +2020,8 @@
     offsetToData = FT_GET_USHORT();
 
     /* rough sanity test */
-    if ( offsetToData + tupleCount * 4 > table_len )
+    if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
+           table_len )
     {
       FT_TRACE2(( "tt_face_vary_cvt:"
                   " invalid CVT variation array header\n" ));
kmx.io     mail     discord kmxgit v0.4.0