diff options
author | Ethan Vrhel <ethanvrhel@gmail.com> | 2022-08-12 15:51:07 -0700 |
---|---|---|
committer | Ethan Vrhel <ethanvrhel@gmail.com> | 2022-08-16 19:36:43 -0700 |
commit | 484009742f9107e78cd17582e9455fe57b87b70a (patch) | |
tree | 059ded1eb63a2e6541c0789bb178ab5d2bf21dc1 | |
parent | 461818d4af16839b9cd8c68320fc224f66d76691 (diff) | |
download | ghostpdl-484009742f9107e78cd17582e9455fe57b87b70a.tar.gz |
Bug 705737 : XPS interpreter
Added check to an offset while reading the index header in
xps_count_cff_index. If the offset was read as negative, the function
will return a pointer outside the range of the buffer.
-rw-r--r-- | xps/xpscff.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xps/xpscff.c b/xps/xpscff.c index 269926c06..5f1e4c149 100644 --- a/xps/xpscff.c +++ b/xps/xpscff.c @@ -415,6 +415,12 @@ xps_count_cff_index(byte *p, byte *e, int *countp) p += count * offsize; last = uofs(p, offsize); + if (last < 0 || p + last > e) + { + gs_throw(-1, "corrupt index header"); + return 0; + } + p += offsize; p --; /* stupid offsets */ |