fdo-mirrors/freetype
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/freetype/freetype.git synced 2025-12-29 22:30:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

[sfnt] Avoid allocation bomb in compressed SVG documents.

Browse source 
Reported as

  https://issues.oss-fuzz.com/issues/416538625

* src/sfnt/ttsvg.c (MAX_SVG_SIZE): New macro.
  (tt_face_load_svg_doc): Reject too large buffer.
This commit is contained in:
Werner Lemberg 2025-05-09 13:25:34 +02:00
parent 04455084cf
commit 6fa8725a41
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/sfnt/ttsvg.c
View file

@ -46,6 +46,9 @@
SVG_DOCUMENT_LIST_MINIMUM_SIZE)
/* An arbitrary, heuristic size limit (67MByte) for expanded SVG data. */
#define MAX_SVG_SIZE ( 1 << 26 )
typedef struct Svg_
{
FT_UShort version; /* table version (starting at 0) */
@ -346,6 +349,13 @@
(FT_ULong)doc[doc_length - 3] << 8 |
(FT_ULong)doc[doc_length - 4];
if ( uncomp_size >= MAX_SVG_SIZE )
{
FT_ERROR(( "Uncompressed SVG document too large.\n" ));
error = FT_THROW( Array_Too_Large );
goto Exit;
}
if ( FT_QALLOC( uncomp_buffer, uncomp_size ) )
goto Exit;