Fix a possible out-of-bounds read

While working on the previous commit, I noticed that nothing makes sure that the entry points within the font data. Thus, this could easily cause out-of-bounds reads. This commit adds a suitable length check for this. Signed-off-by: Uli Schlachter <psychon@znc.in>
author: Uli Schlachter <psychon@znc.in> 2022-12-31 13:41:32 +0100
committer: Uli Schlachter <psychon@znc.in> 2022-12-31 13:43:32 +0100
commit: cc656934da36943cc780e399d3853b213988be4b (patch)
tree: 7e37e89c6ba1f5f49871b1fd2f35997728b97b44 /src/cairo-cff-subset.c
parent: 52760fc90ea0472005708b8903b66dd00799b3eb (diff)
download: cairo-cc656934da36943cc780e399d3853b213988be4b.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 38b6824b6..dd626e85c 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -430,7 +430,7 @@ cff_index_read (cairo_array_t *index, unsigned char **ptr, unsigned char *end_pt
         for (i = 0; i < count; i++) {
             end = decode_index_offset (p, offset_size);
             p += offset_size;
-            if (p > end_ptr || end < start)
+            if (p > end_ptr || end < start || data + end > end_ptr)
                 return CAIRO_INT_STATUS_UNSUPPORTED;
             element.length = end - start;
             element.is_copy = FALSE;
author	Uli Schlachter <psychon@znc.in>	2022-12-31 13:41:32 +0100
committer	Uli Schlachter <psychon@znc.in>	2022-12-31 13:43:32 +0100
commit	cc656934da36943cc780e399d3853b213988be4b (patch)
tree	7e37e89c6ba1f5f49871b1fd2f35997728b97b44 /src/cairo-cff-subset.c
parent	52760fc90ea0472005708b8903b66dd00799b3eb (diff)
download	cairo-cc656934da36943cc780e399d3853b213988be4b.tar.gz