[sfnt] Fix color palette loading.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8933 * src/sfnt/ttcpal.c (Cpal): Add `table_size' field. (tt_face_load_cpal): Set it. (tt_face_palette_set): Check pointer limit for color entries.
7 years ago · 1079063701
parent 8f403ab8a8
commit 1079063701
2 changed files with 25 additions and 4 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2018-06-16  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix color palette loading.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8933
+
+	* src/sfnt/ttcpal.c (Cpal): Add `table_size' field.
+	(tt_face_load_cpal): Set it.
+	(tt_face_palette_set): Check pointer limit for color entries.
+
 2018-06-16  Werner Lemberg  <wl@gnu.org>

 	* src/base/ftbitmap.c (FT_Bitmap_Blend): Avoid integer overflow.
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@ -55,7 +55,8 @@
                             /* in the combined color record array.        */

    /* The memory which backs up the `CPAL' table. */
-    void*  table;
+    void*     table;
+    FT_ULong  table_size;

  } Cpal;

@ -197,7 +198,8 @@
      }
    }

-    cpal->table = table;
+    cpal->table      = table;
+    cpal->table_size = table_size;

    face->cpal = cpal;

@ -253,13 +255,20 @@
    FT_Color*  q;
    FT_Color*  limit;

+    FT_ULong  record_offset;
+

    if ( palette_index >= face->palette_data.num_palettes )
      return FT_THROW( Invalid_Argument );

-    offset = cpal->color_indices + 2 * palette_index;
-    p      = cpal->colors + COLOR_SIZE * FT_PEEK_USHORT( offset );
+    offset        = cpal->color_indices + 2 * palette_index;
+    record_offset = COLOR_SIZE * FT_PEEK_USHORT( offset );
+
+    if ( record_offset + COLOR_SIZE * face->palette_data.num_palette_entries >
+           cpal->table_size )
+      return FT_THROW( Invalid_Table );

+    p     = cpal->colors + record_offset;
    q     = face->palette;
    limit = q + face->palette_data.num_palette_entries;