I see similar checks in `ttcpal.c' and many other places. Invalid data is checked for and rejected, so decided to do the same.
On Tue, Jul 30, 2019 at 12:59 AM Behdad Esfahbod <beh...@behdad.org> wrote: > Why? > > On Mon, Jul 29, 2019 at 12:41 PM Moazin Khatti <moa...@savannah.gnu.org> > wrote: > >> branch: GSoC-2019-moazin >> commit 8887048557db93857ffa6169cfe4c3190f9cb1a1 >> Author: Moazin Khatti <moazinkha...@gmail.com> >> Commit: Moazin Khatti <moazinkha...@gmail.com> >> >> Performs basic to see if SVG data is valid or not. >> --- >> src/sfnt/ttsvg.c | 38 ++++++++++++++++++++++++++++++++++++-- >> 1 file changed, 36 insertions(+), 2 deletions(-) >> >> diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c >> index f4a85ca..223eb88 100644 >> --- a/src/sfnt/ttsvg.c >> +++ b/src/sfnt/ttsvg.c >> @@ -35,6 +35,24 @@ >> >> #include "ttsvg.h" >> >> +/* SVG table looks like: >> + * -------------------------------------- >> + * Bytes: Field | >> + * -------------------------------------- >> + * 2 version >> + * 4 offsetToSVGDocumentList >> + * 4 reserved >> + * 2 numEntries (non-zero) >> + * 12*numEntries documentList >> + * >> + * Since numEntries must be at least one, minimum >> + * size of SVG table is 24. Everything apart from >> + * the documentList makes 12 bytes. >> + */ >> + >> +#define SVG_HEADER_BASE_SIZE 12 >> +#define SVG_HEADER_MIN_SIZE 24 >> + >> /* TODO: (OT-SVG) Decide whether to add documentation here or not */ >> >> typedef struct Svg_ >> @@ -69,6 +87,9 @@ >> if( error ) >> goto NoSVG; >> >> + if ( table_size < SVG_HEADER_MIN_SIZE ) >> + goto InvalidTable; >> + >> if( FT_FRAME_EXTRACT( table_size, table )) >> goto NoSVG; >> >> @@ -77,7 +98,14 @@ >> goto NoSVG; >> >> p = table; >> - svg->version = FT_NEXT_USHORT( p ); >> + svg->version = FT_NEXT_USHORT( p ); >> + >> + /* At the time of writing this, only version 0 exists, >> + * and only that is supported by FreeType >> + */ >> + if ( svg->version != 0 ) >> + goto InvalidTable; >> + >> offsetToSVGDocumentList = FT_NEXT_ULONG( p ); >> >> if( offsetToSVGDocumentList == 0 ) >> @@ -88,6 +116,9 @@ >> p = svg->svg_doc_list; >> svg->num_entries = FT_NEXT_USHORT( p ); >> >> + if ( ( svg->num_entries*12 + SVG_HEADER_BASE_SIZE ) > table_size ) >> + goto InvalidTable; >> + >> FT_TRACE3(( "version: %d\n", svg->version )); >> FT_TRACE3(( "num entiries: %d\n", svg->num_entries )); >> >> @@ -244,7 +275,10 @@ >> *doc_length = mid_doc.length; >> *start_glyph = mid_doc.start_glyph_id; >> *end_glyph = mid_doc.end_glyph_id; >> - error = FT_Err_Ok; >> + if ( *doc_length == 0 ) >> + error = FT_THROW( Invalid_SVG_Document ); >> + else >> + error = FT_Err_Ok; >> } >> return error; >> } >> >> > > -- > behdad > http://behdad.org/ >
_______________________________________________ Freetype-devel mailing list Freetype-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/freetype-devel
