From e97cb9e8da39673caeadf4b99a3aa1fb9e4c7301 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Wed, 9 Nov 2022 15:42:25 -0700 Subject: [PATCH] [truetype] Improve bounds checks for `ItemVariationStore`. * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Move bounds check ... (tt_var_get_item_delta): ... to this function, because it is safer. For example, the 'avar' table 2.0 codepath was not performing a bounds check at all. --- src/truetype/ttgxvar.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index f9960c045..458b958ab 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -996,10 +996,16 @@ /* See pseudo code from `Font Variations Overview' */ /* in the OpenType specification. */ + if ( outerIndex >= itemStore->dataCount ) + return 0; /* Out of range. */ + varData = &itemStore->varData[outerIndex]; deltaSet = FT_OFFSET( varData->deltaSet, varData->regionIdxCount * innerIndex ); + if ( innerIndex >= varData->itemCount ) + return 0; /* Out of range. */ + if ( FT_QNEW_ARRAY( scalars, varData->regionIdxCount ) ) return 0; @@ -1171,20 +1177,9 @@ } else { - GX_ItemVarData varData; - - /* no widthMap data */ outerIndex = 0; innerIndex = gindex; - - varData = &table->itemStore.varData[outerIndex]; - if ( gindex >= varData->itemCount ) - { - FT_TRACE2(( "gindex %d out of range\n", gindex )); - error = FT_THROW( Invalid_Argument ); - goto Exit; - } } delta = tt_var_get_item_delta( face,