roytam1/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 13:58:49 +00:00
Code Issues Projects Releases Wiki Activity

[gfx] Pull several OTS fixes from upstream to improve data safety.

Browse Source 
- Don't check STAT designAxisSize if the designAxisCount is zero.
- Avoid potential arithmetic overflow during Buffer read operations.
- Use more careful range checks in STAT parsing.
This commit is contained in:
Moonchild
2024-04-17 22:14:38 +02:00
committed by roytam1
parent dc52303799
commit 9b6c2f36f1
2 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
gfx/ots/src/ots.h
+6 -7
View File
@@ -87,8 +87,7 @@ class Buffer {
if (n_bytes > 1024 * 1024 * 1024) {
return OTS_FAILURE();
}
if ((offset_ + n_bytes > length_) ||
(offset_ > length_ - n_bytes)) {
if (length_ < n_bytes || offset_ > length_ - n_bytes) {
return OTS_FAILURE();
}
if (buf) {
@@ -99,7 +98,7 @@ class Buffer {
}
inline bool ReadU8(uint8_t *value) {
if (offset_ + 1 > length_) {
if (length_ < 1 || offset_ > length_ - 1) {
return OTS_FAILURE();
}
*value = buffer_[offset_];
@@ -108,7 +107,7 @@ class Buffer {
}
bool ReadU16(uint16_t *value) {
if (offset_ + 2 > length_) {
if (length_ < 2 || offset_ > length_ - 2) {
return OTS_FAILURE();
}
std::memcpy(value, buffer_ + offset_, sizeof(uint16_t));
@@ -122,7 +121,7 @@ class Buffer {
}
bool ReadU24(uint32_t *value) {
if (offset_ + 3 > length_) {
if (length_ < 3 || offset_ > length_ - 3) {
return OTS_FAILURE();
}
*value = static_cast<uint32_t>(buffer_[offset_]) << 16 |
@@ -133,7 +132,7 @@ class Buffer {
}
bool ReadU32(uint32_t *value) {
if (offset_ + 4 > length_) {
if (length_ < 4 || offset_ > length_ - 4) {
return OTS_FAILURE();
}
std::memcpy(value, buffer_ + offset_, sizeof(uint32_t));
@@ -147,7 +146,7 @@ class Buffer {
}
bool ReadR64(uint64_t *value) {
if (offset_ + 8 > length_) {
if (length_ < 8 || offset_ > length_ - 8) {
return OTS_FAILURE();
}
std::memcpy(value, buffer_ + offset_, sizeof(uint64_t));
gfx/ots/src/stat.cc
+6 -6
View File
@@ -53,10 +53,6 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
this->minorVersion = 2;
}
if (this->designAxisSize < sizeof(AxisRecord)) {
return Drop("Invalid designAxisSize");
}
size_t headerEnd = table.offset();
if (this->designAxisCount == 0) {
@@ -65,9 +61,13 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
this->designAxesOffset = 0;
}
} else {
if (this->designAxisSize < sizeof(AxisRecord)) {
return Drop("Invalid designAxisSize");
}
if (this->designAxesOffset < headerEnd ||
size_t(this->designAxesOffset) +
size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) {
size_t(this->designAxesOffset) > length ||
size_t(this->designAxisCount) * size_t(this->designAxisSize) >
length - size_t(this->designAxesOffset)) {
return Drop("Invalid designAxesOffset");
}
}