fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-01-05 15:00:38 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

[cairo-truetype-subset] Check reads are within valid data.

Browse source 
Check cairo_truetype_font_remap_composite_glyph() does not read beyond
the end of the buffer loaded for the glyf.
This commit is contained in:
Chris Wilson 2008-04-03 18:36:16 +01:00
parent a5e2a2ad2d
commit bb76eb508b
1 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/cairo-truetype-subset.c
View file

@ -494,11 +494,12 @@ cairo_truetype_font_write_generic_table (cairo_truetype_font_t *font,
}
static cairo_status_t
cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
unsigned char *buffer)
cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
unsigned char *buffer,
unsigned long size)
{
tt_glyph_data_t *glyph_data;
tt_composite_glyph_t *composite_glyph;
tt_composite_glyph_t *composite_glyph, *last_glyph;
int num_args;
int has_more_components;
unsigned short flags;
@ -508,11 +509,15 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
if (font->status)
return font->status;
if (size < sizeof (tt_glyph_data_t))
return CAIRO_INT_STATUS_UNSUPPORTED;
glyph_data = (tt_glyph_data_t *) buffer;
if ((int16_t)be16_to_cpu (glyph_data->num_contours) >= 0)
return CAIRO_STATUS_SUCCESS;
composite_glyph = &glyph_data->glyph;
last_glyph = (tt_composite_glyph_t *) (buffer + size);
do {
flags = be16_to_cpu (composite_glyph->flags);
has_more_components = flags & TT_MORE_COMPONENTS;
@ -531,6 +536,9 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
else if (flags & TT_WE_HAVE_A_TWO_BY_TWO)
num_args += 3;
composite_glyph = (tt_composite_glyph_t *) &(composite_glyph->args[num_args]);
if (has_more_components && composite_glyph >= last_glyph)
return CAIRO_INT_STATUS_UNSUPPORTED;
} while (has_more_components);
return CAIRO_STATUS_SUCCESS;
@ -615,7 +623,7 @@ cairo_truetype_font_write_glyf_table (cairo_truetype_font_t *font,
if (status)
goto FAIL;
status = cairo_truetype_font_remap_composite_glyph (font, buffer);
status = cairo_truetype_font_remap_composite_glyph (font, buffer, size);
if (status)
goto FAIL;
}