[sfnt] Add SVG document bounds checking

System Internals / FreeType - Ben Wagner [chromium.org] - 27 September 2022 05:31 UTC

Add a check that the document content is actually contained within the `SVG ` table. Without this check a malformed font may claim arbitrary memory as its document content.

- src/sfnt/ttsvg.c (tt_face_load_svg): Take `numEntries` into account when testing 'documentRecord' extents. (find_doc): Rename `stream` to `document_records` for clarity. (tt_face_load_svg_doc): Split `doc` from `doc_list` pointer for clarity. Test that the document content is contained within the table. Ensure minimum length of document before testing for gzip format.

Reported as

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51812

bd4170077 [sfnt] Add SVG document bounds checking.
src/sfnt/ttsvg.c | 81 +++++++++++++++++++++++++++++++-------------------------
1 file changed, 45 insertions(+), 36 deletions(-)

Upstream: git.savannah.gnu.org


  • Share