[woff2] Check whether known tag is in array bounds.

If table tag is not 0x3f, we expect a value between 0 and 62. If this is not the case, exit with errors. * src/sfnt/sfwoff2/c: Check whether table tag makes sense. * src/sfnt/woff2tags.c: Return 0 if tag is out of bounds.
5 years ago · f67786de4d
parent 933c185b7e
commit f67786de4d
2 changed files with 13 additions and 2 deletions
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@ -1760,7 +1760,15 @@
          goto Exit;
      }
      else
+      {
        table->Tag = woff2_known_tags( table->FlagByte & 0x3f );
+        if ( !table->Tag )
+        {
+          FT_ERROR(( "woff2_open_font: Unknown table tag." ));
+          error = FT_THROW( Invalid_Table );
+          goto Exit;
+        }
+      }

      flags = 0;
      xform_version = ( table->FlagByte >> 6 ) & 0x03;
@ -1787,7 +1795,7 @@
          goto Exit;
        if ( table->Tag == TTAG_loca && table->TransformLength )
        {
-          FT_ERROR(( "woff_font_open: Invalid loca `transformLength'.\n" ));
+          FT_ERROR(( "woff2_open_font: Invalid loca `transformLength'.\n" ));
          error = FT_THROW( Invalid_Table );
          goto Exit;
        }
@ -1795,7 +1803,7 @@

      if ( src_offset + table->TransformLength < src_offset )
      {
-        FT_ERROR(( "woff_font_open: invalid WOFF2 table directory.\n" ));
+        FT_ERROR(( "woff2_open_font: invalid WOFF2 table directory.\n" ));
        error = FT_THROW( Invalid_Table );
        goto Exit;
      }
--- a/src/sfnt/woff2tags.c
+++ b/src/sfnt/woff2tags.c
@ -91,6 +91,9 @@
    };


+    if ( index < 0 || index > 62 )
+      return 0;
+
    return known_tags[index];
  }