From 9960e7beabe3fa962fe5a3a020dfd97b40e93f10 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Sat, 16 Jun 2018 22:16:03 +0200 Subject: [PATCH] [sfnt] Fix color glyph layer loading. * src/sfnt/ttcolr.c (Colr): Add `table_size' field. (tt_face_load_colr): Set it. (tt_face_get_colr_layer): Check pointer limit for layer entries. --- ChangeLog | 8 ++++++++ src/sfnt/ttcolr.c | 16 ++++++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f5370389..6ac9eadcf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2018-06-16 Werner Lemberg + + [sfnt] Fix color glyph layer loading. + + * src/sfnt/ttcolr.c (Colr): Add `table_size' field. + (tt_face_load_colr): Set it. + (tt_face_get_colr_layer): Check pointer limit for layer entries. + 2018-06-16 Werner Lemberg [sfnt] Fix color palette loading. diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 7e44d42ad..4fc430002 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -64,7 +64,8 @@ FT_Byte* layers; /* The memory which backs up the `COLR' table. */ - void* table; + void* table; + FT_ULong table_size; } Colr; @@ -138,6 +139,7 @@ colr->base_glyphs = (FT_Byte*)( table + base_glyph_offset ); colr->layers = (FT_Byte*)( table + layer_offset ); colr->table = table; + colr->table_size = table_size; face->colr = colr; @@ -220,6 +222,9 @@ if ( !iterator->p ) { + FT_ULong offset; + + /* first call to function */ iterator->layer = 0; @@ -229,13 +234,16 @@ &glyph_record ) ) return 0; - iterator->p = colr->layers + - LAYER_SIZE * glyph_record.first_layer_index; - if ( glyph_record.num_layers ) iterator->num_layers = glyph_record.num_layers; else return 0; + + offset = LAYER_SIZE * glyph_record.first_layer_index; + if ( offset + LAYER_SIZE * glyph_record.num_layers > colr->table_size ) + return 0; + + iterator->p = colr->layers + offset; } if ( iterator->layer >= iterator->num_layers )