ref: 1079063701986505980f5c5183b3a92700dc1cf5
parent: 8f403ab8a8bb211aff88897319a15a418f85c86e
author: Werner Lemberg <[email protected]>
date: Sat Jun 16 17:45:13 EDT 2018
[sfnt] Fix color palette loading. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8933 * src/sfnt/ttcpal.c (Cpal): Add `table_size' field. (tt_face_load_cpal): Set it. (tt_face_palette_set): Check pointer limit for color entries.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
2018-06-16 Werner Lemberg <[email protected]>
+ [sfnt] Fix color palette loading.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8933
+
+ * src/sfnt/ttcpal.c (Cpal): Add `table_size' field.
+ (tt_face_load_cpal): Set it.
+ (tt_face_palette_set): Check pointer limit for color entries.
+
+2018-06-16 Werner Lemberg <[email protected]>
+
* src/base/ftbitmap.c (FT_Bitmap_Blend): Avoid integer overflow.
2018-06-16 Werner Lemberg <[email protected]>
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -55,7 +55,8 @@
/* in the combined color record array. */
/* The memory which backs up the `CPAL' table. */
- void* table;
+ void* table;
+ FT_ULong table_size;
} Cpal;
@@ -197,7 +198,8 @@
}
}
- cpal->table = table;
+ cpal->table = table;
+ cpal->table_size = table_size;
face->cpal = cpal;
@@ -253,13 +255,20 @@
FT_Color* q;
FT_Color* limit;
+ FT_ULong record_offset;
+
if ( palette_index >= face->palette_data.num_palettes )
return FT_THROW( Invalid_Argument );
- offset = cpal->color_indices + 2 * palette_index;
- p = cpal->colors + COLOR_SIZE * FT_PEEK_USHORT( offset );
+ offset = cpal->color_indices + 2 * palette_index;
+ record_offset = COLOR_SIZE * FT_PEEK_USHORT( offset );
+ if ( record_offset + COLOR_SIZE * face->palette_data.num_palette_entries >
+ cpal->table_size )
+ return FT_THROW( Invalid_Table );
+
+ p = cpal->colors + record_offset;
q = face->palette;
limit = q + face->palette_data.num_palette_entries;