diff options
| author | Moazin Khatti <moazinkhatri@gmail.com> | 2019-07-30 00:40:41 +0500 |
|---|---|---|
| committer | Moazin Khatti <moazinkhatri@gmail.com> | 2019-08-26 01:17:14 +0500 |
| commit | 0e8e132bd71763f4ee0d4b617102b14a17160882 (patch) | |
| tree | 0279709c62dd047a2d82d448b9b2c48a176cb52a | |
| parent | d7f6f8b16d7d4793bcf27a52efc9b18a01e61ca5 (diff) | |
| download | freetype2-0e8e132bd71763f4ee0d4b617102b14a17160882.tar.gz | |
Performs basic checks to see if SVG data is valid or not.
| -rw-r--r-- | src/sfnt/ttsvg.c | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c index f4a85ca96..223eb8802 100644 --- a/src/sfnt/ttsvg.c +++ b/src/sfnt/ttsvg.c @@ -35,6 +35,24 @@ #include "ttsvg.h" +/* SVG table looks like: + * -------------------------------------- + * Bytes: Field | + * -------------------------------------- + * 2 version + * 4 offsetToSVGDocumentList + * 4 reserved + * 2 numEntries (non-zero) + * 12*numEntries documentList + * + * Since numEntries must be at least one, minimum + * size of SVG table is 24. Everything apart from + * the documentList makes 12 bytes. + */ + +#define SVG_HEADER_BASE_SIZE 12 +#define SVG_HEADER_MIN_SIZE 24 + /* TODO: (OT-SVG) Decide whether to add documentation here or not */ typedef struct Svg_ @@ -69,6 +87,9 @@ if( error ) goto NoSVG; + if ( table_size < SVG_HEADER_MIN_SIZE ) + goto InvalidTable; + if( FT_FRAME_EXTRACT( table_size, table )) goto NoSVG; @@ -77,7 +98,14 @@ goto NoSVG; p = table; - svg->version = FT_NEXT_USHORT( p ); + svg->version = FT_NEXT_USHORT( p ); + + /* At the time of writing this, only version 0 exists, + * and only that is supported by FreeType + */ + if ( svg->version != 0 ) + goto InvalidTable; + offsetToSVGDocumentList = FT_NEXT_ULONG( p ); if( offsetToSVGDocumentList == 0 ) @@ -88,6 +116,9 @@ p = svg->svg_doc_list; svg->num_entries = FT_NEXT_USHORT( p ); + if ( ( svg->num_entries*12 + SVG_HEADER_BASE_SIZE ) > table_size ) + goto InvalidTable; + FT_TRACE3(( "version: %d\n", svg->version )); FT_TRACE3(( "num entiries: %d\n", svg->num_entries )); @@ -244,7 +275,10 @@ *doc_length = mid_doc.length; *start_glyph = mid_doc.start_glyph_id; *end_glyph = mid_doc.end_glyph_id; - error = FT_Err_Ok; + if ( *doc_length == 0 ) + error = FT_THROW( Invalid_SVG_Document ); + else + error = FT_Err_Ok; } return error; } |