freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] [sfnt] Guard access in 'COLR' v1 glyph

From: Werner Lemberg (@wl)
Subject: [Git][freetype/freetype][master] [sfnt] Guard access in 'COLR' v1 glyph binary search.
Date: Tue, 02 Jan 2024 17:02:00 +0000

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

  • 57c4252a
    by Werner Lemberg at 2024-01-02T17:55:33+01:00 
    [sfnt] Guard access in 'COLR' v1 glyph binary search.

Reported as

  https://bugs.chromium.org/p/chromium/issues/detail?id=1505216

* src/sfnt/ttcolr.c (find_base_glyph_v1_record): Guard access of the search
pointer during binary search.  The pointer needs to be checked as we go as
the test that compares number of v1 glyphs with table size at the time of
loading the table is not sufficient on its own.

A scenario is possible in which the `BaseGlyphRecord` list extends into
non-`BaseGlyphRecord` parts of the 'COLR' v1 table (but passed the size
comparison check).  Then, at those locations, invalid glyph ID values are
read and may provoke an invalid read due to reassigning min and max values
during the binary search.

1 changed file:

Changes:

  • src/sfnt/ttcolr.c
    ... ... @@ -1269,6 +1269,7 @@
    1269 1269 
       static FT_Bool
    1270 1270 
       find_base_glyph_v1_record( FT_Byte *           base_glyph_begin,
    1271 1271 
                                  FT_UInt             num_base_glyph,
    1272 
    +                             FT_Byte *           end_colr,
    1272 1273 
                                  FT_UInt             glyph_id,
    1273 1274 
                                  BaseGlyphV1Record  *record )
    1274 1275 
       {
    ... ... @@ -1287,6 +1288,14 @@
    1287 1288 
            */
    1288 1289 
           FT_Byte  *p = base_glyph_begin + 4 + mid * BASE_GLYPH_PAINT_RECORD_SIZE;
    1289 1290
    1291 
    +
    1292 
    +      /* We need to be able to read 2 bytes (FT_NEXT_USHORT) for the glyph */
    1293 
    +      /* ID, then 4 bytes (FT_NEXT_ULONG) for the paint offset.  If that's */
    1294 
    +      /* not available before the end of the table, something's wrong with */
    1295 
    +      /* the font and we can't find a COLRv1 glyph.                        */
    1296 
    +      if ( p > end_colr - 2 - 4 )
    1297 
    +        return 0;
    1298 
    +
    1290 1299 
           FT_UShort  gid = FT_NEXT_USHORT( p );
    1291 1300
    1292 1301
    ... ... @@ -1328,6 +1337,7 @@
    1328 1337
    1329 1338 
         if ( !find_base_glyph_v1_record( colr->base_glyphs_v1,
    1330 1339 
                                          colr->num_base_glyphs_v1,
    1340 
    +                                     (FT_Byte*)colr->table + colr->table_size,
    1331 1341 
                                          base_glyph,
    1332 1342 
                                          &base_glyph_v1_record ) )
    1333 1343 
           return 0;


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]