| From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001 |
| From: Behdad Esfahbod <behdad@behdad.org> |
| Date: Wed, 1 Jun 2022 07:38:21 -0600 |
| Subject: [PATCH] [sbix] Limit glyph extents |
| |
| Fixes https://github.com/harfbuzz/harfbuzz/issues/3557 |
| |
| Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/62e803b36173fd096d7ad460dd1d1db9be542593] |
| CVE:CVE-2022-33068 |
| Signed-off-by: Wentao Zhang<Wentao.Zhang@windriver.com> |
| |
| --- |
| src/hb-ot-color-sbix-table.hh | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh |
| index 9741ebd45..6efae43cd 100644 |
| --- a/src/hb-ot-color-sbix-table.hh |
| +++ b/src/hb-ot-color-sbix-table.hh |
| @@ -298,6 +298,12 @@ struct sbix |
| |
| const PNGHeader &png = *blob->as<PNGHeader>(); |
| |
| + if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536) |
| + { |
| + hb_blob_destroy (blob); |
| + return false; |
| + } |
| + |
| extents->x_bearing = x_offset; |
| extents->y_bearing = png.IHDR.height + y_offset; |
| extents->width = png.IHDR.width; |
| -- |
| 2.25.1 |
| |