fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-01-09 07:40:43 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

[cairo-truetype-subset] Check reads are within valid data.

Browse source 
Check cairo_truetype_font_remap_composite_glyph() does not read beyond
the end of the buffer loaded for the glyf.
This commit is contained in:
Chris Wilson 2008-04-03 18:36:16 +01:00
parent a5e2a2ad2d
commit bb76eb508b
1 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/cairo-truetype-subset.c
View file

@ -494,11 +494,12 @@ cairo_truetype_font_write_generic_table (cairo_truetype_font_t *font,
} }
static cairo_status_t static cairo_status_t
cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font, cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
unsigned char *buffer) unsigned char *buffer,
unsigned long size)
{ {
tt_glyph_data_t *glyph_data; tt_glyph_data_t *glyph_data;
tt_composite_glyph_t *composite_glyph; tt_composite_glyph_t *composite_glyph, *last_glyph;
int num_args; int num_args;
int has_more_components; int has_more_components;
unsigned short flags; unsigned short flags;
@ -508,11 +509,15 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
if (font->status) if (font->status)
return font->status; return font->status;
if (size < sizeof (tt_glyph_data_t))
return CAIRO_INT_STATUS_UNSUPPORTED;
glyph_data = (tt_glyph_data_t *) buffer; glyph_data = (tt_glyph_data_t *) buffer;
if ((int16_t)be16_to_cpu (glyph_data->num_contours) >= 0) if ((int16_t)be16_to_cpu (glyph_data->num_contours) >= 0)
return CAIRO_STATUS_SUCCESS; return CAIRO_STATUS_SUCCESS;
composite_glyph = &glyph_data->glyph; composite_glyph = &glyph_data->glyph;
last_glyph = (tt_composite_glyph_t *) (buffer + size);
do { do {
flags = be16_to_cpu (composite_glyph->flags); flags = be16_to_cpu (composite_glyph->flags);
has_more_components = flags & TT_MORE_COMPONENTS; has_more_components = flags & TT_MORE_COMPONENTS;
@ -531,6 +536,9 @@ cairo_truetype_font_remap_composite_glyph (cairo_truetype_font_t *font,
else if (flags & TT_WE_HAVE_A_TWO_BY_TWO) else if (flags & TT_WE_HAVE_A_TWO_BY_TWO)
num_args += 3; num_args += 3;
composite_glyph = (tt_composite_glyph_t *) &(composite_glyph->args[num_args]); composite_glyph = (tt_composite_glyph_t *) &(composite_glyph->args[num_args]);
if (has_more_components && composite_glyph >= last_glyph)
return CAIRO_INT_STATUS_UNSUPPORTED;
} while (has_more_components); } while (has_more_components);
return CAIRO_STATUS_SUCCESS; return CAIRO_STATUS_SUCCESS;
@ -615,7 +623,7 @@ cairo_truetype_font_write_glyf_table (cairo_truetype_font_t *font,
if (status) if (status)
goto FAIL; goto FAIL;
status = cairo_truetype_font_remap_composite_glyph (font, buffer); status = cairo_truetype_font_remap_composite_glyph (font, buffer, size);
if (status) if (status)
goto FAIL; goto FAIL;
} }