diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 18:34:59 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 18:34:59 +0000 |
commit | b0410fc20c45227756a7bbdcff65e29eb0bc4d91 (patch) | |
tree | 36bdaeed45bddfc236ac77adf672339174b3c9b3 /gfx/ots/src/stat.cc | |
parent | Adding debian version 115.9.1esr-1~deb12u1. (diff) | |
download | firefox-esr-b0410fc20c45227756a7bbdcff65e29eb0bc4d91.tar.xz firefox-esr-b0410fc20c45227756a7bbdcff65e29eb0bc4d91.zip |
Merging upstream version 115.10.0esr.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'gfx/ots/src/stat.cc')
-rw-r--r-- | gfx/ots/src/stat.cc | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/gfx/ots/src/stat.cc b/gfx/ots/src/stat.cc index f6f65fdf60..0eeaffb1c6 100644 --- a/gfx/ots/src/stat.cc +++ b/gfx/ots/src/stat.cc @@ -48,10 +48,6 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { this->minorVersion = 2; } - if (this->designAxisSize < sizeof(AxisRecord)) { - return Drop("Invalid designAxisSize"); - } - size_t headerEnd = table.offset(); if (this->designAxisCount == 0) { @@ -60,9 +56,13 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { this->designAxesOffset = 0; } } else { + if (this->designAxisSize < sizeof(AxisRecord)) { + return Drop("Invalid designAxisSize"); + } if (this->designAxesOffset < headerEnd || - size_t(this->designAxesOffset) + - size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) { + size_t(this->designAxesOffset) > length || + size_t(this->designAxisCount) * size_t(this->designAxisSize) > + length - size_t(this->designAxesOffset)) { return Drop("Invalid designAxesOffset"); } } @@ -95,8 +95,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { } } else { if (this->offsetToAxisValueOffsets < headerEnd || - size_t(this->offsetToAxisValueOffsets) + - size_t(this->axisValueCount) * sizeof(uint16_t) > length) { + size_t(this->offsetToAxisValueOffsets) > length || + size_t(this->axisValueCount) * sizeof(uint16_t) > + length - size_t(this->offsetToAxisValueOffsets)) { return Drop("Invalid offsetToAxisValueOffsets"); } } @@ -107,7 +108,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { if (!table.ReadU16(&axisValueOffset)) { return Drop("Failed to read axis value offset"); } - if (this->offsetToAxisValueOffsets + axisValueOffset > length) { + // We already checked that offsetToAxisValueOffsets doesn't exceed length, + // so this subtraction will not underflow. + if (axisValueOffset > length - this->offsetToAxisValueOffsets) { return Drop("Invalid axis value offset"); } table.set_offset(this->offsetToAxisValueOffsets + axisValueOffset); |