8000 font/sfnt: verify the total number of contour points · golang/image@6944b10 · GitHub
[go: up one dir, main page]
Skip to content

Commit 6944b10

Browse files
nigeltaonigeltao
committed
font/sfnt: verify the total number of contour points
The SFNT file format explicitly lists the number of points in each simple (non-compound) glyph and, in this package, this is loaded in func loadGlyf as the numPoints variable. numPoints is then passed to func findXYIndexes to verify that the (variable length) remaning glyph data has content for that many points. loadGlyf then uses a glyfIter to iterate over those points, but prior to this commit, fails to enforce that the glyfIter also honors numPoints when walking each contour of a glyph. This can lead to a panic (slice index out of bounds) on a malformed SFNT file, if glyfIter then tries to walk too many points. Fixes golang/go#48006 Change-Id: I92530e570eb37ce0087927ca23060acebe0a7705 Reviewed-on: https://go-review.googlesource.com/c/image/+/358994 Reviewed-by: Andrew Gerrand <adg@golang.org> Trust: Nigel Tao <nigeltao@golang.org>
1 parent a66eb64 commit 6944b10

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

font/sfnt/truetype.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,10 @@ func loadGlyf(f *Font, b *Buffer, x GlyphIndex, stackBottom, recursionDepth uint
152152
xIndex: xIndex,
153153
yIndex: yIndex,
154154
endIndex: glyfHeaderLen,
155-
// The -1 is because the contour-end index in the file format is
156-
// inclusive, but Go's slice[:index] semantics are exclusive.
155+
// The -1 on prevEnd and finalEnd are because the contour-end index in
156+
// the file format is inclusive, but Go's slice[:index] is exclusive.
157157
prevEnd: -1,
158+
finalEnd: int32(numPoints - 1),
158159
numContours: int32(numContours),
159160
}
160161
for g.nextContour() {
@@ -334,9 +335,11 @@ type glyfIter struct {
334335
yIndex int32
335336

336337
// endIndex points to the uint16 that is the inclusive point index of the
337-
// current contour's end. prevEnd is the previous contour's end.
338+
// current contour's end. prevEnd is the previous contour's end. finalEnd
339+
// should match the final contour's end.
338340
endIndex int32
339341
prevEnd int32
342+
finalEnd int32
340343

341344
// c and p count the current contour and point, up to numContours and
342345
// numPoints.
@@ -386,13 +389,16 @@ type glyfIter struct {
386389

387390
func (g *glyfIter) nextContour() (ok bool) {
388391
if g.c == g.numContours {
392+
if g.prevEnd != g.finalEnd {
393+
g.err = errInvalidGlyphData
394+
}
389395
return false
390396
}
391397
g.c++
392398

393399
end := int32(u16(g.data[g.endIndex:]))
394400
g.endIndex += 2
395-
if end <= g.prevEnd {
401+
if (end <= g.prevEnd) || (g.finalEnd < end) {
396402
g.err = errInvalidGlyphData
397403
return false
398404
}

0 commit comments

Comments
 (0)
0