48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
|
From 3831354113db8803fb1f5ba196cf0bbb537578dd Mon Sep 17 00:00:00 2001
|
||
|
|
From: Garret Rieger <grieger@google.com>
|
||
|
|
Date: Thu, 31 May 2018 17:54:06 -0700
|
||
|
|
Subject: [PATCH] [subset] Check for overflow when decoding glyf.
|
||
|
|
|
||
|
|
---
|
||
|
|
src/woff2_dec.cc | 19 ++++++++++++++++---
|
||
|
|
1 file changed, 16 insertions(+), 3 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/woff2_dec.cc b/src/woff2_dec.cc
|
||
|
|
index 8186c8e..25e18c6 100644
|
||
|
|
--- a/src/woff2_dec.cc
|
||
|
|
+++ b/src/woff2_dec.cc
|
||
|
|
@@ -111,6 +111,16 @@ int WithSign(int flag, int baseval) {
|
||
|
|
return (flag & 1) ? baseval : -baseval;
|
||
|
|
}
|
||
|
|
|
||
|
|
+bool _SafeIntAddition(int a, int b, int* result) {
|
||
|
|
+ if (PREDICT_FALSE(
|
||
|
|
+ ((a > 0) && (b > std::numeric_limits<int>::max() - a)) ||
|
||
|
|
+ ((a < 0) && (b < std::numeric_limits<int>::min() - a)))) {
|
||
|
|
+ return false;
|
||
|
|
+ }
|
||
|
|
+ *result = a + b;
|
||
|
|
+ return true;
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
bool TripletDecode(const uint8_t* flags_in, const uint8_t* in, size_t in_size,
|
||
|
|
unsigned int n_points, Point* result, size_t* in_bytes_consumed) {
|
||
|
|
int x = 0;
|
||
|
|
@@ -166,9 +176,12 @@ bool TripletDecode(const uint8_t* flags_in, const uint8_t* in, size_t in_size,
|
||
|
|
(in[triplet_index + 2] << 8) + in[triplet_index + 3]);
|
||
|
|
}
|
||
|
|
triplet_index += n_data_bytes;
|
||
|
|
- // Possible overflow but coordinate values are not security sensitive
|
||
|
|
- x += dx;
|
||
|
|
- y += dy;
|
||
|
|
+ if (!_SafeIntAddition(x, dx, &x)) {
|
||
|
|
+ return false;
|
||
|
|
+ }
|
||
|
|
+ if (!_SafeIntAddition(y, dy, &y)) {
|
||
|
|
+ return false;
|
||
|
|
+ }
|
||
|
|
*result++ = {x, y, on_curve};
|
||
|
|
}
|
||
|
|
*in_bytes_consumed = triplet_index;
|
||
|
|
|