fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-04-20 06:00:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

TrueType: Fix buffer check

Browse source 
bb76eb50 added some checks to ensure we do not read past the end of
the buffer for the loaded glyph. However the checks assumed
tt_composite_glyph_t has a fixed size. tt_composite_glyph_t has a
variable size that depends on the values with the struct.
This commit is contained in:
Adrian Johnson 2008-04-04 20:29:12 +10:30
parent 7dbb2dec33
commit 2d42f5ac27
1 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/cairo-truetype-subset.c
View file

@ -505,27 +505,30 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
unsigned long size)
{
tt_glyph_data_t *glyph_data;
tt_composite_glyph_t *composite_glyph, *last_glyph;
tt_composite_glyph_t *composite_glyph;
int num_args;
int has_more_components;
unsigned short flags;
unsigned short index;
cairo_status_t status;
unsigned char *end = buffer + size;
if (font->status)
return font->status;
if (size < sizeof (tt_glyph_data_t))
glyph_data = (tt_glyph_data_t *) buffer;
if ((unsigned char *)(&glyph_data->data) >= end)
return CAIRO_INT_STATUS_UNSUPPORTED;
glyph_data = (tt_glyph_data_t *) buffer;
if ((int16_t)be16_to_cpu (glyph_data->num_contours) >= 0)
return CAIRO_STATUS_SUCCESS;
composite_glyph = &glyph_data->glyph;
last_glyph = (tt_composite_glyph_t *) (buffer + size);
do {
flags = be16_to_cpu (composite_glyph->flags);
if ((unsigned char *)(&composite_glyph->args[1]) >= end)
return CAIRO_INT_STATUS_UNSUPPORTED;
flags = be16_to_cpu (composite_glyph->flags);
has_more_components = flags & TT_MORE_COMPONENTS;
status = cairo_truetype_font_use_glyph (font, be16_to_cpu (composite_glyph->index), &index);
if (status)
@ -542,9 +545,6 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
else if (flags & TT_WE_HAVE_A_TWO_BY_TWO)
num_args += 3;
composite_glyph = (tt_composite_glyph_t *) &(composite_glyph->args[num_args]);
if (has_more_components && composite_glyph >= last_glyph)
return CAIRO_INT_STATUS_UNSUPPORTED;
} while (has_more_components);
return CAIRO_STATUS_SUCCESS;