[Git][freetype/freetype][master] [sfnt] Pointer sanity checks before rea

From:

Werner Lemberg (@wl)

Subject:

[Git][freetype/freetype][master] [sfnt] Pointer sanity checks before reading layer info in 'COLR' v0

Date:

Mon, 05 Sep 2022 10:44:51 +0000

Werner Lemberg pushed to branch master at FreeType / FreeType

Commits:

6d62076a

by Dominik Röttsches at 2022-09-05T12:23:31+02:00

[sfnt] Pointer sanity checks before reading layer info in 'COLR' v0

* src/sfnt/ttcolr.c (tt_face_get_colr_layer): Check that the pointer to
read from is within the 'COLR' table.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50633

1 changed file:

src/sfnt/ttcolr.c

Changes:

src/sfnt/ttcolr.c

@@ -481,7 +481,9 @@
        iterator->p = colr->layers + offset;
+     }
 -    if ( iterator->layer >= iterator->num_layers )
 +    if ( iterator->layer >= iterator->num_layers                     ||
 +         iterator->p < colr->layers                                  ||
 +         iterator->p >= ( (FT_Byte*)colr->table + colr->table_size ) )
        return 0;
      *aglyph_index = FT_NEXT_USHORT( iterator->p );

[Prev in Thread]

Current Thread

[Next in Thread]

[Git][freetype/freetype][master] [sfnt] Pointer sanity checks before reading layer info in 'COLR' v0, Werner Lemberg (@wl) <=