fdo-mirrors/freetype
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/freetype/freetype.git synced 2026-05-07 05:18:10 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

[sfnt] Use array count in sanitization of BaseGlyphPaintRecord list.

Browse source 
* src/sfnt/ttcolr.c (tt_face_load_colr): Compute correct length
  of `BaseGlyphPaintRecord` array size.

Fixes issue #1397.
This commit is contained in:
Dominik Röttsches 2026-03-09 09:47:52 +02:00 committed by Werner Lemberg
parent a1079b181e
commit 45556a19aa
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/sfnt/ttcolr.c
View file

@ -236,8 +236,10 @@
p1 = (FT_Byte*)( table + base_glyphs_offset_v1 );
num_base_glyphs_v1 = FT_PEEK_ULONG( p1 );
if ( ( table_size - base_glyphs_offset_v1 ) / BASE_GLYPH_PAINT_RECORD_SIZE
< num_base_glyphs_v1 )
/* Account for 4 byte numBaseGlyphPaintRecords at the beginning of */
/* the BaseGlyphPaintRecord array. */
if ( ( table_size - base_glyphs_offset_v1 - 4 ) /
BASE_GLYPH_PAINT_RECORD_SIZE < num_base_glyphs_v1 )
goto InvalidTable;
colr->num_base_glyphs_v1 = num_base_glyphs_v1;