Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added range checks to cmap parsing #30

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added range checks to cmap parsing #30

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion truetype/truetype.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,13 +201,18 @@ func (f *Font) parseCmap() error {
return err
}
offset = int(u32(f.cmap, offset+4))
if offset <= 0 || offset > len(f.cmap) {
cmapLength := len(f.cmap)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this variable is really worth it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also need to check offset a couple of lines above this one?

if offset <= 0 || offset+2 > cmapLength {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It probably won't matter in practice, but I'd still rather avoid overflow issues:

if offset <= 0 || offset > cmapLength-2 {

Ditto below.

return FormatError("bad cmap offset")
}

cmapFormat := u16(f.cmap, offset)
switch cmapFormat {
case cmapFormat4:
// check cmap length for reading 2+2 bytes starting at offset+4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if these comments add much. I'd just say

if offset > len(f.cmap) - 8 {

if offset+4+2+2 > cmapLength {
return FormatError("bad cmap size")
}
language := u16(f.cmap, offset+4)
if language != languageIndependent {
return UnsupportedError(fmt.Sprintf("language: %d", language))
Expand All @@ -218,6 +223,12 @@ func (f *Font) parseCmap() error {
}
segCount := segCountX2 / 2
offset += 14

// check cmap length for reading segCount*4*2 bytes starting at offset
if offset+segCount*4*2 > cmapLength {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you miss accounting for the "offset += 2" a few lines below?

return FormatError("bad cmap size")
}

f.cm = make([]cm, segCount)
for i := 0; i < segCount; i++ {
f.cm[i].end = uint32(u16(f.cmap, offset))
Expand All @@ -240,6 +251,10 @@ func (f *Font) parseCmap() error {
return nil

case cmapFormat12:
// check cmap length for reading 2+4+4+4 bytes starting at offset+2
if offset+2+2+4+4+4 > cmapLength {
return FormatError("bad cmap size")
}
if u16(f.cmap, offset+2) != 0 {
return FormatError(fmt.Sprintf("cmap format: % x", f.cmap[offset:offset+4]))
}
Expand All @@ -253,6 +268,10 @@ func (f *Font) parseCmap() error {
return FormatError("inconsistent cmap length")
}
offset += 16
// check cmap length for reading nGroups*3*4 bytes starting at offset
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be worth checking, a few lines above, that nGroups is a sane value, so that 12*nGroups doesn't overflow. For example:

nGroups := u32(etc)
if nGroups > 0x10000 {
return UnsupportedError(etc)
}
if length != etc {

if offset+int(nGroups)*3*4 > cmapLength {
return FormatError("bad cmap size")
}
f.cm = make([]cm, nGroups)
for i := uint32(0); i < nGroups; i++ {
f.cm[i].start = u32(f.cmap, offset+0)
Expand Down