[sfnt] Fix CPAL heap buffer overflow.
Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968 * src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1 offsets.
This commit is contained in:
parent
7915fd51f1
commit
a6b77ba2b3
11
ChangeLog
11
ChangeLog
@ -1,3 +1,14 @@
|
||||
2018-06-19 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
[sfnt] Fix CPAL heap buffer overflow.
|
||||
|
||||
Reported as
|
||||
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8968
|
||||
|
||||
* src/sfnt/ttcpal.c (tt_face_load_cpal): Guard CPAL version 1
|
||||
offsets.
|
||||
|
||||
2018-06-19 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
Doh. Don't use CPAL or COLR data if tables are missing.
|
||||
|
@ -128,6 +128,9 @@
|
||||
FT_UShort* q;
|
||||
|
||||
|
||||
if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
|
||||
goto InvalidTable;
|
||||
|
||||
p += face->palette_data.num_palettes * 2;
|
||||
|
||||
type_offset = FT_NEXT_ULONG( p );
|
||||
|
Loading…
Reference in New Issue
Block a user