From c0db95d3dda1865d4c6bf0666b0e7439b40b9bf2 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 21 Apr 2024 20:35:44 +0200 Subject: Merging upstream version 115.10.0esr. Signed-off-by: Daniel Baumann --- gfx/ots/src/ots.h | 13 ++++++------- gfx/ots/src/stat.cc | 21 ++++++++++++--------- 2 files changed, 18 insertions(+), 16 deletions(-) (limited to 'gfx/ots/src') diff --git a/gfx/ots/src/ots.h b/gfx/ots/src/ots.h index 434e068d48..7e3625c737 100644 --- a/gfx/ots/src/ots.h +++ b/gfx/ots/src/ots.h @@ -87,8 +87,7 @@ class Buffer { if (n_bytes > 1024 * 1024 * 1024) { return OTS_FAILURE(); } - if ((offset_ + n_bytes > length_) || - (offset_ > length_ - n_bytes)) { + if (length_ < n_bytes || offset_ > length_ - n_bytes) { return OTS_FAILURE(); } if (buf) { @@ -99,7 +98,7 @@ class Buffer { } inline bool ReadU8(uint8_t *value) { - if (offset_ + 1 > length_) { + if (length_ < 1 || offset_ > length_ - 1) { return OTS_FAILURE(); } *value = buffer_[offset_]; @@ -108,7 +107,7 @@ class Buffer { } bool ReadU16(uint16_t *value) { - if (offset_ + 2 > length_) { + if (length_ < 2 || offset_ > length_ - 2) { return OTS_FAILURE(); } std::memcpy(value, buffer_ + offset_, sizeof(uint16_t)); @@ -122,7 +121,7 @@ class Buffer { } bool ReadU24(uint32_t *value) { - if (offset_ + 3 > length_) { + if (length_ < 3 || offset_ > length_ - 3) { return OTS_FAILURE(); } *value = static_cast(buffer_[offset_]) << 16 | @@ -133,7 +132,7 @@ class Buffer { } bool ReadU32(uint32_t *value) { - if (offset_ + 4 > length_) { + if (length_ < 4 || offset_ > length_ - 4) { return OTS_FAILURE(); } std::memcpy(value, buffer_ + offset_, sizeof(uint32_t)); @@ -147,7 +146,7 @@ class Buffer { } bool ReadR64(uint64_t *value) { - if (offset_ + 8 > length_) { + if (length_ < 8 || offset_ > length_ - 8) { return OTS_FAILURE(); } std::memcpy(value, buffer_ + offset_, sizeof(uint64_t)); diff --git a/gfx/ots/src/stat.cc b/gfx/ots/src/stat.cc index f6f65fdf60..0eeaffb1c6 100644 --- a/gfx/ots/src/stat.cc +++ b/gfx/ots/src/stat.cc @@ -48,10 +48,6 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { this->minorVersion = 2; } - if (this->designAxisSize < sizeof(AxisRecord)) { - return Drop("Invalid designAxisSize"); - } - size_t headerEnd = table.offset(); if (this->designAxisCount == 0) { @@ -60,9 +56,13 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { this->designAxesOffset = 0; } } else { + if (this->designAxisSize < sizeof(AxisRecord)) { + return Drop("Invalid designAxisSize"); + } if (this->designAxesOffset < headerEnd || - size_t(this->designAxesOffset) + - size_t(this->designAxisCount) * size_t(this->designAxisSize) > length) { + size_t(this->designAxesOffset) > length || + size_t(this->designAxisCount) * size_t(this->designAxisSize) > + length - size_t(this->designAxesOffset)) { return Drop("Invalid designAxesOffset"); } } @@ -95,8 +95,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { } } else { if (this->offsetToAxisValueOffsets < headerEnd || - size_t(this->offsetToAxisValueOffsets) + - size_t(this->axisValueCount) * sizeof(uint16_t) > length) { + size_t(this->offsetToAxisValueOffsets) > length || + size_t(this->axisValueCount) * sizeof(uint16_t) > + length - size_t(this->offsetToAxisValueOffsets)) { return Drop("Invalid offsetToAxisValueOffsets"); } } @@ -107,7 +108,9 @@ bool OpenTypeSTAT::Parse(const uint8_t* data, size_t length) { if (!table.ReadU16(&axisValueOffset)) { return Drop("Failed to read axis value offset"); } - if (this->offsetToAxisValueOffsets + axisValueOffset > length) { + // We already checked that offsetToAxisValueOffsets doesn't exceed length, + // so this subtraction will not underflow. + if (axisValueOffset > length - this->offsetToAxisValueOffsets) { return Drop("Invalid axis value offset"); } table.set_offset(this->offsetToAxisValueOffsets + axisValueOffset); -- cgit v1.2.3