diff options
author | Uli Schlachter <psychon@znc.in> | 2020-12-25 16:09:19 +0100 |
---|---|---|
committer | Uli Schlachter <psychon@znc.in> | 2020-12-25 16:09:19 +0100 |
commit | 467e7822a975fa3ed740144cd849ab596ab30118 (patch) | |
tree | 09802351f6cacafa836be20a55708fb069b9f079 /src/cairo-cff-subset.c | |
parent | 979382dd302bbab73d8c81740ddd72afc31a8ea8 (diff) | |
download | cairo-467e7822a975fa3ed740144cd849ab596ab30118.tar.gz |
Add a bounds check to cairo_cff_parse_charstring()
The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/444
Signed-off-by: Uli Schlachter <psychon@znc.in>
Diffstat (limited to 'src/cairo-cff-subset.c')
-rw-r--r-- | src/cairo-cff-subset.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index fce4195e9..f85190f77 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -1604,6 +1604,8 @@ cairo_cff_parse_charstring (cairo_cff_font_t *font, } } else { sub_num = font->type2_stack_top_value + font->local_sub_bias; + if (sub_num >= _cairo_array_num_elements(&font->local_sub_index)) + return CAIRO_INT_STATUS_UNSUPPORTED; element = _cairo_array_index (&font->local_sub_index, sub_num); if (! font->local_subs_used[sub_num] || (need_width && !font->type2_found_width)) |