ref: fb0d66d04c4dd8d7f9604af1a6001b2737cb5098
parent: fbd24523461d57d38bd040d842f9fba2690545cd
author: Ben Wagner <[email protected]>
date: Tue Nov 6 19:47:44 EST 2018
[truetype] Fix VF check from 2018-09-12 (#54973). * src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Use correct offsets for estimates.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-11-07 Ben Wagner <[email protected]>
+
+ [truetype] Fix VF check from 2018-09-12 (#54973).
+
+ * src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Use correct
+ offsets for estimates.
+
2018-11-06 Werner Lemberg <[email protected]>
[pshinter] Fix numeric overflow.
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3725,8 +3725,8 @@
offsetToData = FT_GET_USHORT();
/* rough sanity test */
- if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
- dataSize )
+ if ( offsetToData > dataSize ||
+ ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 > dataSize )
{FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
" invalid glyph variation array header\n" ));