diff options
author | Uli Schlachter <psychon@znc.in> | 2021-01-06 10:38:42 +0100 |
---|---|---|
committer | Uli Schlachter <psychon@znc.in> | 2021-01-07 02:03:55 +0100 |
commit | b1e81ee98f532a7606e451c55033e42c5bfb517c (patch) | |
tree | afff29b1066f47075c84e117d1c8d02edec3ddd3 /src/cairo-cff-subset.c | |
parent | cb3618f76d10c2e0cd1e6196ed79d4af4d7d5e44 (diff) | |
download | cairo-b1e81ee98f532a7606e451c55033e42c5bfb517c.tar.gz |
Add a bounds check to cairo_cff_font_read_fdselect()
The code in cairo-cff-subset.c parses a binary format without seeming to
bother much with verifying the data. The result is that poppler can be
used to cause an out-of-bounds write in cairo_cff_font_read_fdselect()
via a crafted font file. Fix this by adding the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/451
Signed-off-by: Uli Schlachter <psychon@znc.in>
Diffstat (limited to 'src/cairo-cff-subset.c')
-rw-r--r-- | src/cairo-cff-subset.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index f85190f77..d536f25c9 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -991,6 +991,8 @@ cairo_cff_font_read_fdselect (cairo_cff_font_t *font, unsigned char *p) p += 2; fd = *p++; last = get_unaligned_be16 (p); + if (last > font->num_glyphs) + return CAIRO_INT_STATUS_UNSUPPORTED; for (j = first; j < last; j++) font->fdselect[j] = fd; } |