e04d76d1baae5aec72b4833c0a2288a11a724b20 - platform/external/freetype

commit	e04d76d1baae5aec72b4833c0a2288a11a724b20	[log] [tgz]
author	Dominik Röttsches <drott@chromium.org>	Mon Oct 17 18:18:49 2022 +0300
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Thu Jan 12 19:06:50 2023 +0000
tree	590cb03cda519182d3a4460c62edd32e98438916
parent	a4359e53674321de54a44ea785133cc7b23e203a [diff]

Cherry pick the following two CLs from upstream

[sfnt] Guard individual `COLR` v1 paint field reads.

* src/sfnt/ttcolr.c (ENSURE_READ_BYTES): New macro.
(read_paint): Use it – after the start pointer `p` has been checked for
whether it allows reading the format byte, each successive paint table field
read need to be bounds-checked before reading further values.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404

[sfnt] Additional bounds checks for `COLR` v1 table handling.

* src/sfnt/ttcolr.c (read_paint): Add `colr` argument, necessary for...
... another use of `ENSURE_READ_BYTES`.
Update callers.
(tt_face_get_paint_layers): Ensure that the 4-byte paint table
offset can be read.

This is a follow-up to !124 and issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404

Bug: 254803162
Test: m libft2
Test: atest CtsTextTestCases
Test: atest CtsGraphicsTestCases
Change-Id: I2b60b477495b444fa64722a9a78586839f25c3d9
Merged-In: Ic17ae69c9ee4877acb0bc667541c78b967da46a9
(cherry picked from commit b56d29a0a69d9fe7b8e377b3397d1e326761dfab)
Merged-In: I2b60b477495b444fa64722a9a78586839f25c3d9

src/sfnt/ttcolr.c[diff]

1 file changed