[sfnt] Fix CPAL heap buffer overflow.

Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968 * src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1 offsets.
7 years ago · a6b77ba2b3
parent 7915fd51f1
commit a6b77ba2b3
2 changed files with 14 additions and 0 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2018-06-19  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix CPAL heap buffer overflow.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968
+
+	* src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1
+	offsets.
+
 2018-06-19  Werner Lemberg  <wl@gnu.org>

 	Doh.  Don't use CPAL or COLR data if tables are missing.
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@ -128,6 +128,9 @@
      FT_UShort*  q;


+      if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
+        goto InvalidTable;
+
      p += face->palette_data.num_palettes * 2;

      type_offset        = FT_NEXT_ULONG( p );