bound BMF block walk to buffer end#1643
Conversation
|
Thanks for your patience. I'm just looking into a couple scenarios. |
|
I did a pass through cfeBMF.c. Some of the changes are just clean-up, others (kerning table) are functional. Please take a look, as I don't have access to your test harness. Maybe you can apply any relevant changes to the other file as well? Thanks! |
|
ran your cfeBMF pass through the asan harness. one thing stood out: the common block's applied the relevant bit to |
|
Thanks. We'll get this merged. |
the BMF block walk in
xs_parseBMFandCFESetFontDataadvancesbytesby file-controlled block sizes (bytes += 4 + c_read32(bytes),bytes += size - 8) without bounding the cursor against the buffer end, so a crafted block size makes the nextc_read*read past the allocation (found with an asan build feeding a truncated font); this bounds every advance and field read againstend.