Branch
-
Show log
Commit
-
Hash : 3829fdaa
Author :
Date : 2023-08-04T11:41:23
Avoid overflow in COLR bounds checks. The values read into `base_glyphs_offset_v1` and `layer_offset_v1` may be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where `unsigned long` is 32 bits adding 4 to such values will wrap and pass bounds checks but accessing values at such offsets will be out of bounds. On the other hand `table_size` has already been tested to be at least `COLRV1_HEADER_SIZE` (34) so it is safe to subtract 4 from it. * src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from `table_size` instead of adding 4 to font data offsets in bounds checks Fixes: https://crbug.com/1469348
-
Files
- module.mk
- pngshim.c
- pngshim.h
- rules.mk
- sfdriver.c
- sfdriver.h
- sferrors.h
- sfnt.c
- sfobjs.c
- sfobjs.h
- sfwoff.c
- sfwoff.h
- sfwoff2.c
- sfwoff2.h
- ttbdf.c
- ttbdf.h
- ttcmap.c
- ttcmap.h
- ttcmapc.h
- ttcolr.c
- ttcolr.h
- ttcpal.c
- ttcpal.h
- ttkern.c
- ttkern.h
- ttload.c
- ttload.h
- ttmtx.c
- ttmtx.h
- ttpost.c
- ttpost.h
- ttsbit.c
- ttsbit.h
- ttsvg.c
- ttsvg.h
- woff2tags.c
- woff2tags.h
-
Properties
-
Git HTTP https://git.kmx.io/kc3-lang/freetype.git Git SSH git@git.kmx.io:kc3-lang/freetype.git Public access ? public Description Users
Tags
