commit | e04d76d1baae5aec72b4833c0a2288a11a724b20 | [log] [tgz] |
---|---|---|
author | Dominik Röttsches <drott@chromium.org> | Mon Oct 17 18:18:49 2022 +0300 |
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Thu Jan 12 19:06:50 2023 +0000 |
tree | 590cb03cda519182d3a4460c62edd32e98438916 | |
parent | a4359e53674321de54a44ea785133cc7b23e203a [diff] |
Cherry pick the following two CLs from upstream [sfnt] Guard individual `COLR` v1 paint field reads. * src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro. (read_paint): Use it – after the start pointer `p` has been checked for whether it allows reading the format byte, each successive paint table field read need to be bounds-checked before reading further values. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404 [sfnt] Additional bounds checks for `COLR` v1 table handling. * src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for... ... another use of `ENSURE_READ_BYTES`. Update callers. (tt_face_get_paint_layers): Ensure that the 4-byte paint table offset can be read. This is a follow-up to !124 and issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404 Bug: 254803162 Test: m libft2 Test: atest CtsTextTestCases Test: atest CtsGraphicsTestCases Change-Id: I2b60b477495b444fa64722a9a78586839f25c3d9 Merged-In: Ic17ae69c9ee4877acb0bc667541c78b967da46a9 (cherry picked from commit b56d29a0a69d9fe7b8e377b3397d1e326761dfab) Merged-In: I2b60b477495b444fa64722a9a78586839f25c3d9