ref: 0767d5362fdc2d14de842b264f24a6cb91d45d55
parent: 6ceeb87f5dd1cb61aa9618bc6296ca917980b0e7
author: Werner Lemberg <[email protected]>
date: Thu Jul 5 19:05:53 EDT 2018
Adjust table size comparisons (#54242). * src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2018-07-05 Werner Lemberg <[email protected]>
+ Adjust table size comparisons (#54242).
+
+ * src/sfnt/ttcpal.c (tt_face_load_cpal): Implement it.
+
+2018-07-05 Werner Lemberg <[email protected]>
+
Fix more 32bit issues (#54208)
* src/cff/cffload.c (cff_blend_build_vector): Convert assertion into
--- a/src/sfnt/ttcpal.c
+++ b/src/sfnt/ttcpal.c
@@ -112,6 +112,10 @@
cpal->num_colors = FT_NEXT_USHORT( p );
colors_offset = FT_NEXT_ULONG( p );
+ if ( CPAL_V0_HEADER_BASE_SIZE +
+ face->palette_data.num_palettes * 2U > table_size )
+ goto InvalidTable;
+
if ( colors_offset >= table_size )
goto InvalidTable;
if ( cpal->num_colors * COLOR_SIZE > table_size - colors_offset )
@@ -128,7 +132,9 @@
FT_UShort* q;
- if ( face->palette_data.num_palettes * 2 + 3U * 4 > table_size )
+ if ( CPAL_V0_HEADER_BASE_SIZE +
+ face->palette_data.num_palettes * 2U +
+ 3U * 4 > table_size )
goto InvalidTable;
p += face->palette_data.num_palettes * 2;