179456c69Sopenharmony_ciFrom 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001 279456c69Sopenharmony_ciFrom: Behdad Esfahbod <behdad@behdad.org> 379456c69Sopenharmony_ciDate: Wed, 1 Jun 2022 07:38:21 -0600 479456c69Sopenharmony_ciSubject: [PATCH] [sbix] Limit glyph extents 579456c69Sopenharmony_ci 679456c69Sopenharmony_ciFixes https://github.com/harfbuzz/harfbuzz/issues/3557 779456c69Sopenharmony_ci--- 879456c69Sopenharmony_ci src/hb-ot-color-sbix-table.hh | 6 ++++++ 979456c69Sopenharmony_ci test/fuzzing/fonts/sbix-extents.ttf | Bin 0 -> 582 bytes 1079456c69Sopenharmony_ci 2 files changed, 6 insertions(+) 1179456c69Sopenharmony_ci create mode 100644 test/fuzzing/fonts/sbix-extents.ttf 1279456c69Sopenharmony_ci 1379456c69Sopenharmony_cidiff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh 1479456c69Sopenharmony_ciindex 9741ebd450..6efae43cda 100644 1579456c69Sopenharmony_ci--- a/src/hb-ot-color-sbix-table.hh 1679456c69Sopenharmony_ci+++ b/src/hb-ot-color-sbix-table.hh 1779456c69Sopenharmony_ci@@ -298,6 +298,12 @@ struct sbix 1879456c69Sopenharmony_ci 1979456c69Sopenharmony_ci const PNGHeader &png = *blob->as<PNGHeader>(); 2079456c69Sopenharmony_ci 2179456c69Sopenharmony_ci+ if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536) 2279456c69Sopenharmony_ci+ { 2379456c69Sopenharmony_ci+ hb_blob_destroy (blob); 2479456c69Sopenharmony_ci+ return false; 2579456c69Sopenharmony_ci+ } 2679456c69Sopenharmony_ci+ 2779456c69Sopenharmony_ci extents->x_bearing = x_offset; 2879456c69Sopenharmony_ci extents->y_bearing = png.IHDR.height + y_offset; 2979456c69Sopenharmony_ci extents->width = png.IHDR.width; 30