kmx git

Show log
Commit

Hash : 335224be
Author :
Date : 2022-03-03T16:33:40

[sfnt] Fix bounds check in SVG.

The `SVG_DOCUMENT_LIST_MINIMUM_SIZE` macro is non trivial and not
protected by parentheses. As a result, the expression
`table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE` expands to
`table_size - 2U + SVG_DOCUMENT_RECORD_SIZE` instead of the expected
`table_size - (2U + SVG_DOCUMENT_RECORD_SIZE)`. This causes an incorrect
bounds check which may lead to reading past the end of the `SVG ` table.

* src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in
parentheses.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179

Files
module.mk
pngshim.c
pngshim.h
rules.mk
sfdriver.c
sfdriver.h
sferrors.h
sfnt.c
sfobjs.c
sfobjs.h
sfwoff.c
sfwoff.h
sfwoff2.c
sfwoff2.h
ttbdf.c
ttbdf.h
ttcmap.c
ttcmap.h
ttcmapc.h
ttcolr.c
ttcolr.h
ttcpal.c
ttcpal.h
ttkern.c
ttkern.h
ttload.c
ttload.h
ttmtx.c
ttmtx.h
ttpost.c
ttpost.h
ttsbit.c
ttsbit.h
ttsvg.c
ttsvg.h
woff2tags.c
woff2tags.h

Properties

Git HTTP	https://git.kmx.io/kc3-lang/freetype.git
Git SSH	git@git.kmx.io:kc3-lang/freetype.git
Public access ?	public
Description	https://gitlab.freedesktop.org/freetype/freetype
Users
Tags

kc3-lang/freetype/src/sfnt

Commit

Files

Properties