[sfnt] Sanitize cmap4 table better.
Fixes #1062. * src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of `length` gracefully.
This commit is contained in:
parent
ee6d03d369
commit
b24cfc8dcc
@ -1,3 +1,12 @@
|
||||
2021-06-08 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[sfnt] Sanitize cmap4 table better.
|
||||
|
||||
Fixes #1062.
|
||||
|
||||
* src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of
|
||||
`length` gracefully.
|
||||
|
||||
2021-06-08 Dominik Röttsches <drott@chromium.org>
|
||||
|
||||
[sfnt] Pointer validity check when reading COLR 'v1' layers
|
||||
|
@ -916,6 +916,16 @@
|
||||
length = (FT_UInt)( valid->limit - table );
|
||||
}
|
||||
|
||||
/* it also happens that the `length' field is too small; */
|
||||
/* this is easy to correct */
|
||||
if ( length < (FT_UInt)( valid->limit - table ) )
|
||||
{
|
||||
if ( valid->level >= FT_VALIDATE_PARANOID )
|
||||
FT_INVALID_DATA;
|
||||
|
||||
length = (FT_UInt)( valid->limit - table );
|
||||
}
|
||||
|
||||
if ( length < 16 )
|
||||
FT_INVALID_TOO_SHORT;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user