[sfnt] Fix bounds check in SVG.

The `SVG_DOCUMENT_LIST_MINIMUM_SIZE` macro is non trivial and not protected by parentheses. As a result, the expression `table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE` expands to `table_size - 2U + SVG_DOCUMENT_RECORD_SIZE` instead of the expected `table_size - (2U + SVG_DOCUMENT_RECORD_SIZE)`. This causes an incorrect bounds check which may lead to reading past the end of the `SVG ` table. * src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in parentheses. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179
3 years ago · 335224beee
parent 034e5dbf92
commit 335224beee
1 changed files with 5 additions and 5 deletions
--- a/src/sfnt/ttsvg.c
+++ b/src/sfnt/ttsvg.c
@ -39,11 +39,11 @@


  /* NOTE: These table sizes are given by the specification. */
-#define SVG_TABLE_HEADER_SIZE           10U
-#define SVG_DOCUMENT_RECORD_SIZE        12U
-#define SVG_DOCUMENT_LIST_MINIMUM_SIZE  2U + SVG_DOCUMENT_RECORD_SIZE
-#define SVG_MINIMUM_SIZE                SVG_TABLE_HEADER_SIZE +        \
-                                        SVG_DOCUMENT_LIST_MINIMUM_SIZE
+#define SVG_TABLE_HEADER_SIZE           (10U)
+#define SVG_DOCUMENT_RECORD_SIZE        (12U)
+#define SVG_DOCUMENT_LIST_MINIMUM_SIZE  (2U + SVG_DOCUMENT_RECORD_SIZE)
+#define SVG_MINIMUM_SIZE                (SVG_TABLE_HEADER_SIZE +        \
+                                         SVG_DOCUMENT_LIST_MINIMUM_SIZE)


  typedef struct  Svg_