[sbix] Check blob length against PNG header leangth

This commit is contained in:
Behdad Esfahbod 2018-10-28 14:16:52 -07:00
parent d3ec31a57c
commit 48bc3039cb
1 changed files with 23 additions and 14 deletions

View File

@ -199,7 +199,13 @@ struct sbix
struct PNGHeader struct PNGHeader
{ {
HBUINT8 signature[8]; HBUINT8 signature[8];
HBUINT8 chunkHeaderIHDR[8]; struct
{
struct
{
HBUINT32 length;
Tag type;
} header;
HBUINT32 width; HBUINT32 width;
HBUINT32 height; HBUINT32 height;
HBUINT8 bitDepth; HBUINT8 bitDepth;
@ -207,6 +213,10 @@ struct sbix
HBUINT8 compressionMethod; HBUINT8 compressionMethod;
HBUINT8 filterMethod; HBUINT8 filterMethod;
HBUINT8 interlaceMethod; HBUINT8 interlaceMethod;
} IHDR;
public:
DEFINE_SIZE_STATIC (29);
}; };
inline bool get_png_extents (hb_codepoint_t glyph, inline bool get_png_extents (hb_codepoint_t glyph,
@ -222,21 +232,20 @@ struct sbix
HB_TAG ('p','n','g',' '), HB_TAG ('p','n','g',' '),
&x_offset, &y_offset); &x_offset, &y_offset);
const PNGHeader &header = *blob->as<PNGHeader>(); const PNGHeader &png = *blob->as<PNGHeader>();
if (header.width == 0 && header.width == 0) if (unlikely (blob->length < sizeof (PNGHeader)))
return false; return false;
extents->x_bearing = x_offset; extents->x_bearing = x_offset;
extents->y_bearing = y_offset; extents->y_bearing = y_offset;
extents->width = header.width; extents->width = png.IHDR.width;
extents->height = header.height; extents->height = png.IHDR.height;
hb_blob_destroy (blob); hb_blob_destroy (blob);
return true; return true;
} }
inline bool has_data () const inline bool has_data () const { return sbix_len; }
{ return sbix_len; }
private: private:
hb_blob_t *sbix_blob; hb_blob_t *sbix_blob;