Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-15-SP7:Update
woff2
woff2-fix-overflow-when-decoding-glyf.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File woff2-fix-overflow-when-decoding-glyf.patch of Package woff2
From 3831354113db8803fb1f5ba196cf0bbb537578dd Mon Sep 17 00:00:00 2001 From: Garret Rieger <grieger@google.com> Date: Thu, 31 May 2018 17:54:06 -0700 Subject: [PATCH] [subset] Check for overflow when decoding glyf. --- src/woff2_dec.cc | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/woff2_dec.cc b/src/woff2_dec.cc index 8186c8e..25e18c6 100644 --- a/src/woff2_dec.cc +++ b/src/woff2_dec.cc @@ -111,6 +111,16 @@ int WithSign(int flag, int baseval) { return (flag & 1) ? baseval : -baseval; } +bool _SafeIntAddition(int a, int b, int* result) { + if (PREDICT_FALSE( + ((a > 0) && (b > std::numeric_limits<int>::max() - a)) || + ((a < 0) && (b < std::numeric_limits<int>::min() - a)))) { + return false; + } + *result = a + b; + return true; +} + bool TripletDecode(const uint8_t* flags_in, const uint8_t* in, size_t in_size, unsigned int n_points, Point* result, size_t* in_bytes_consumed) { int x = 0; @@ -166,9 +176,12 @@ bool TripletDecode(const uint8_t* flags_in, const uint8_t* in, size_t in_size, (in[triplet_index + 2] << 8) + in[triplet_index + 3]); } triplet_index += n_data_bytes; - // Possible overflow but coordinate values are not security sensitive - x += dx; - y += dy; + if (!_SafeIntAddition(x, dx, &x)) { + return false; + } + if (!_SafeIntAddition(y, dy, &y)) { + return false; + } *result++ = {x, y, on_curve}; } *in_bytes_consumed = triplet_index;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor