Avoid strtol on non-null-terminated data.

Technically, `strtol` can only be used with C strings terminated with
`\0`.  CID data is not generally null-terminated and often does not
contain a `\0` if it is hex-encoded.  AddressSanitizer with `ASAN_OPTIONS`
containing `strict_string_checks=1` verifies this by using an adversarial
`strtol` that always reads to the terminating `\0`.

To avoid undefined behavior from `strtol` in `cid_parser_new`, use the
parser to parse the tokens instead of attempting to parse them ad-hoc.
This will internally use `PS_Conv_Strtol` to parse the integer, which
respects the parser's limits and directly implements the PostScript
parsing rules for integers.

* src/cid/cidparse.c (cid_parser_new): Use the parser to parse the
tokens.

Fixes: https://bugs.chromium.org/p/chromium/issues/detail?id=1420329

0 files changed, 0 insertions, 0 deletions