diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:14:29 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:14:29 +0000 |
| commit | fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8 (patch) | |
| tree | 4c1ccaf5486d4f2009f9a338a98a83e886e29c97 /gfx/ots/src/stat.cc | |
| parent | Releasing progress-linux version 124.0.1-1~progress7.99u1. (diff) | |
| download | firefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.tar.xz firefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.zip | |
Merging upstream version 125.0.1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'gfx/ots/src/stat.cc')
| -rw-r--r-- | gfx/ots/src/stat.cc | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/gfx/ots/src/stat.cc b/gfx/ots/src/stat.cc index f6f65fdf60..0eeaffb1c6 100644 --- a/gfx/ots/src/stat.cc +++ b/gfx/ots/src/stat.cc @@ -48,10 +48,6 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { this->minorVersion = 2; } - if (this->designAxisSize < sizeof(AxisRecord)) { - return Drop("Invalid designAxisSize"); - } - size_t headerEnd = table.offset(); if (this->designAxisCount == 0) { @@ -60,9 +56,13 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { this->designAxesOffset = 0; } } else { + if (this->designAxisSize < sizeof(AxisRecord)) { + return Drop("Invalid designAxisSize"); + } if (this->designAxesOffset < headerEnd || - size_t(this->designAxesOffset) + - size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) { + size_t(this->designAxesOffset) > length || + size_t(this->designAxisCount) * size_t(this->designAxisSize) > + length - size_t(this->designAxesOffset)) { return Drop("Invalid designAxesOffset"); } } @@ -95,8 +95,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { } } else { if (this->offsetToAxisValueOffsets < headerEnd || - size_t(this->offsetToAxisValueOffsets) + - size_t(this->axisValueCount) * sizeof(uint16_t) > length) { + size_t(this->offsetToAxisValueOffsets) > length || + size_t(this->axisValueCount) * sizeof(uint16_t) > + length - size_t(this->offsetToAxisValueOffsets)) { return Drop("Invalid offsetToAxisValueOffsets"); } } @@ -107,7 +108,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { if (!table.ReadU16(&axisValueOffset)) { return Drop("Failed to read axis value offset"); } - if (this->offsetToAxisValueOffsets + axisValueOffset > length) { + // We already checked that offsetToAxisValueOffsets doesn't exceed length, + // so this subtraction will not underflow. + if (axisValueOffset > length - this->offsetToAxisValueOffsets) { return Drop("Invalid axis value offset"); } table.set_offset(this->offsetToAxisValueOffsets + axisValueOffset); |