[sfnt] Avoid allocation bomb in compressed SVG documents.

Reported as https://issues.oss-fuzz.com/issues/416538625 * src/sfnt/ttsvg.c (MAX_SVG_SIZE): New macro. (tt_face_load_svg_doc): Reject too large buffer.
2026-01-19 04:52:09 +00:00 · 2025-05-09 13:25:34 +02:00
parent 04455084cf
commit 6fa8725a41
1 changed files with 10 additions and 0 deletions
--- a/src/sfnt/ttsvg.c
+++ b/src/sfnt/ttsvg.c
@@ -46,6 +46,9 @@
                                         SVG_DOCUMENT_LIST_MINIMUM_SIZE)


+  /* An arbitrary, heuristic size limit (67MByte) for expanded SVG data. */
+#define MAX_SVG_SIZE  ( 1 << 26 )
+
  typedef struct  Svg_
  {
    FT_UShort  version;                 /* table version (starting at 0)  */
@@ -346,6 +349,13 @@
                    (FT_ULong)doc[doc_length - 3] << 8  |
                    (FT_ULong)doc[doc_length - 4];

+      if ( uncomp_size >= MAX_SVG_SIZE )
+      {
+        FT_ERROR(( "Uncompressed SVG document too large.\n" ));
+        error = FT_THROW( Array_Too_Large );
+        goto Exit;
+      }
+
      if ( FT_QALLOC( uncomp_buffer, uncomp_size ) )
        goto Exit;