• Show log

    Commit

  • Hash : 3829fdaa
    Author : Ben Wagner
    Date : 2023-08-04T11:41:23

    Avoid overflow in COLR bounds checks. The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long` is 32 bits adding 4 to such values will wrap and pass bounds checks but accessing values at such offsets will be out of bounds. On the other hand `table_size` has already been tested to be at least `COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it. * src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size` instead of adding 4 to font data offsets in bounds checks Fixes: https://crbug.com/1469348