diff options
author | Uli Schlachter <psychon@znc.in> | 2022-12-31 13:41:32 +0100 |
---|---|---|
committer | Uli Schlachter <psychon@znc.in> | 2022-12-31 13:43:32 +0100 |
commit | cc656934da36943cc780e399d3853b213988be4b (patch) | |
tree | 7e37e89c6ba1f5f49871b1fd2f35997728b97b44 /src/cairo-cff-subset.c | |
parent | 52760fc90ea0472005708b8903b66dd00799b3eb (diff) | |
download | cairo-cc656934da36943cc780e399d3853b213988be4b.tar.gz |
Fix a possible out-of-bounds read
While working on the previous commit, I noticed that nothing makes sure
that the entry points within the font data. Thus, this could easily
cause out-of-bounds reads.
This commit adds a suitable length check for this.
Signed-off-by: Uli Schlachter <psychon@znc.in>
Diffstat (limited to 'src/cairo-cff-subset.c')
-rw-r--r-- | src/cairo-cff-subset.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index 38b6824b6..dd626e85c 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -430,7 +430,7 @@ cff_index_read (cairo_array_t *index, unsigned char **ptr, unsigned char *end_pt for (i = 0; i < count; i++) { end = decode_index_offset (p, offset_size); p += offset_size; - if (p > end_ptr || end < start) + if (p > end_ptr || end < start || data + end > end_ptr) return CAIRO_INT_STATUS_UNSUPPORTED; element.length = end - start; element.is_copy = FALSE; |