ref: df2cf43e94fcf43d2d4b7574495eb3a0a9d5858a
parent: 6862024854c64d7f7bbb80d4909c19a45c4f7d9a
author: Werner Lemberg <[email protected]>
date: Fri Dec 16 06:38:20 EST 2016
[truetype] Fix `cvar' sanity test. Reported by Dave Arnold. * src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
2016-12-16 Werner Lemberg <[email protected]>
+ [truetype] Fix `cvar' sanity test.
+
+ Reported by Dave Arnold.
+
+ * src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.
+
+2016-12-16 Werner Lemberg <[email protected]>
+
[cff, truetype] Remove compiler warnings; fix `make multi'.
* src/cff/cf2font.h: Include `cffload.h'.
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2020,7 +2020,8 @@
offsetToData = FT_GET_USHORT();
/* rough sanity test */
- if ( offsetToData + tupleCount * 4 > table_len )
+ if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
+ table_len )
{FT_TRACE2(( "tt_face_vary_cvt:"
" invalid CVT variation array header\n" ));