summaryrefslogtreecommitdiffstats
path: root/gfx/ots/src
diff options
context:
space:
mode:
Diffstat (limited to 'gfx/ots/src')
-rw-r--r--gfx/ots/src/ots.h13
-rw-r--r--gfx/ots/src/stat.cc21
2 files changed, 18 insertions, 16 deletions
diff --git a/gfx/ots/src/ots.h b/gfx/ots/src/ots.h
index 434e068d48..7e3625c737 100644
--- a/gfx/ots/src/ots.h
+++ b/gfx/ots/src/ots.h
@@ -87,8 +87,7 @@ class Buffer {
if (n_bytes > 1024 * 1024 * 1024) {
return OTS_FAILURE();
}
- if ((offset_ + n_bytes > length_) ||
- (offset_ > length_ - n_bytes)) {
+ if (length_ < n_bytes || offset_ > length_ - n_bytes) {
return OTS_FAILURE();
}
if (buf) {
@@ -99,7 +98,7 @@ class Buffer {
}
inline bool ReadU8(uint8_t *value) {
- if (offset_ + 1 > length_) {
+ if (length_ < 1 || offset_ > length_ - 1) {
return OTS_FAILURE();
}
*value = buffer_[offset_];
@@ -108,7 +107,7 @@ class Buffer {
}
bool ReadU16(uint16_t *value) {
- if (offset_ + 2 > length_) {
+ if (length_ < 2 || offset_ > length_ - 2) {
return OTS_FAILURE();
}
std::memcpy(value, buffer_ + offset_, sizeof(uint16_t));
@@ -122,7 +121,7 @@ class Buffer {
}
bool ReadU24(uint32_t *value) {
- if (offset_ + 3 > length_) {
+ if (length_ < 3 || offset_ > length_ - 3) {
return OTS_FAILURE();
}
*value = static_cast<uint32_t>(buffer_[offset_]) << 16 |
@@ -133,7 +132,7 @@ class Buffer {
}
bool ReadU32(uint32_t *value) {
- if (offset_ + 4 > length_) {
+ if (length_ < 4 || offset_ > length_ - 4) {
return OTS_FAILURE();
}
std::memcpy(value, buffer_ + offset_, sizeof(uint32_t));
@@ -147,7 +146,7 @@ class Buffer {
}
bool ReadR64(uint64_t *value) {
- if (offset_ + 8 > length_) {
+ if (length_ < 8 || offset_ > length_ - 8) {
return OTS_FAILURE();
}
std::memcpy(value, buffer_ + offset_, sizeof(uint64_t));
diff --git a/gfx/ots/src/stat.cc b/gfx/ots/src/stat.cc
index f6f65fdf60..0eeaffb1c6 100644
--- a/gfx/ots/src/stat.cc
+++ b/gfx/ots/src/stat.cc
@@ -48,10 +48,6 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
this->minorVersion = 2;
}
- if (this->designAxisSize < sizeof(AxisRecord)) {
- return Drop("Invalid designAxisSize");
- }
-
size_t headerEnd = table.offset();
if (this->designAxisCount == 0) {
@@ -60,9 +56,13 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
this->designAxesOffset = 0;
}
} else {
+ if (this->designAxisSize < sizeof(AxisRecord)) {
+ return Drop("Invalid designAxisSize");
+ }
if (this->designAxesOffset < headerEnd ||
- size_t(this->designAxesOffset) +
- size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) {
+ size_t(this->designAxesOffset) > length ||
+ size_t(this->designAxisCount) * size_t(this->designAxisSize) >
+ length - size_t(this->designAxesOffset)) {
return Drop("Invalid designAxesOffset");
}
}
@@ -95,8 +95,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
}
} else {
if (this->offsetToAxisValueOffsets < headerEnd ||
- size_t(this->offsetToAxisValueOffsets) +
- size_t(this->axisValueCount) * sizeof(uint16_t) > length) {
+ size_t(this->offsetToAxisValueOffsets) > length ||
+ size_t(this->axisValueCount) * sizeof(uint16_t) >
+ length - size_t(this->offsetToAxisValueOffsets)) {
return Drop("Invalid offsetToAxisValueOffsets");
}
}
@@ -107,7 +108,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) {
if (!table.ReadU16(&axisValueOffset)) {
return Drop("Failed to read axis value offset");
}
- if (this->offsetToAxisValueOffsets + axisValueOffset > length) {
+ // We already checked that offsetToAxisValueOffsets doesn't exceed length,
+ // so this subtraction will not underflow.
+ if (axisValueOffset > length - this->offsetToAxisValueOffsets) {
return Drop("Invalid axis value offset");
}
table.set_offset(this->offsetToAxisValueOffsets + axisValueOffset);