diff options
author | Behdad Esfahbod <behdad@behdad.org> | 2022-11-09 15:42:25 -0700 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2022-11-12 16:45:44 +0100 |
commit | e97cb9e8da39673caeadf4b99a3aa1fb9e4c7301 (patch) | |
tree | 9977afa59d7db6fdaa9de9ebdf2cabba04ba32ec /src | |
parent | 9be958ca39cdca0753ba99b741658733d1655d54 (diff) | |
download | freetype2-e97cb9e8da39673caeadf4b99a3aa1fb9e4c7301.tar.gz |
[truetype] Improve bounds checks for `ItemVariationStore`.
* src/truetype/ttgxvar.c (tt_hvadvance_adjust): Move bounds check ...
(tt_var_get_item_delta): ... to this function, because it is safer. For
example, the 'avar' table 2.0 codepath was not performing a bounds check at
all.
Diffstat (limited to 'src')
-rw-r--r-- | src/truetype/ttgxvar.c | 17 |
1 files changed, 6 insertions, 11 deletions
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c index f9960c045..458b958ab 100644 --- a/src/truetype/ttgxvar.c +++ b/src/truetype/ttgxvar.c @@ -996,10 +996,16 @@ /* See pseudo code from `Font Variations Overview' */ /* in the OpenType specification. */ + if ( outerIndex >= itemStore->dataCount ) + return 0; /* Out of range. */ + varData = &itemStore->varData[outerIndex]; deltaSet = FT_OFFSET( varData->deltaSet, varData->regionIdxCount * innerIndex ); + if ( innerIndex >= varData->itemCount ) + return 0; /* Out of range. */ + if ( FT_QNEW_ARRAY( scalars, varData->regionIdxCount ) ) return 0; @@ -1171,20 +1177,9 @@ } else { - GX_ItemVarData varData; - - /* no widthMap data */ outerIndex = 0; innerIndex = gindex; - - varData = &table->itemStore.varData[outerIndex]; - if ( gindex >= varData->itemCount ) - { - FT_TRACE2(( "gindex %d out of range\n", gindex )); - error = FT_THROW( Invalid_Argument ); - goto Exit; - } } delta = tt_var_get_item_delta( face, |