diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-02-28 09:01:04 +0000 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-02-28 15:43:58 +0000 |
| commit | dd30fa1275e71327ebee7393ca0c8f77aec3d051 (patch) | |
| tree | 25de102eac47c9a999dfec4bccf4165afd34e610 | |
| parent | d36d9d8fc8bf4d6e31f5b1ca4ff8a98215b5b1e5 (diff) | |
| download | ghostpdl-dd30fa1275e71327ebee7393ca0c8f77aec3d051.tar.gz | |
oss-fuzz 45085: Validate the FDarray index before returning it
| -rw-r--r-- | pdf/pdf_font1C.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/pdf/pdf_font1C.c b/pdf/pdf_font1C.c index 495bf8cfa..89cc46c94 100644 --- a/pdf/pdf_font1C.c +++ b/pdf/pdf_font1C.c @@ -438,10 +438,14 @@ pdfi_cff_cid_glyph_data(gs_font_base *pbfont, gs_glyph glyph, gs_glyph_data_t *p pdfi_countup(glyphname); code = pdfi_dict_get_by_key(pdffont9->ctx, pdffont9->CharStrings, glyphname, (pdf_obj **) &charstring); if (code >= 0 && charstring->length > gscidfont->cidata.FDBytes) { - if (gscidfont->cidata.FDBytes != 0) - *pfidx = (int)charstring->data[0]; + if (gscidfont->cidata.FDBytes != 0) { + if ((int)charstring->data[0] > gscidfont->cidata.FDArray_size) + code = gs_note_error(gs_error_invalidfont); + else + *pfidx = (int)charstring->data[0]; + } - if (pgd && ((int64_t)charstring->length - (int64_t)gscidfont->cidata.FDBytes) >= 0) + if (code >= 0 && pgd && ((int64_t)charstring->length - (int64_t)gscidfont->cidata.FDBytes) >= 0) gs_glyph_data_from_bytes(pgd, charstring->data + gscidfont->cidata.FDBytes, 0, charstring->length - gscidfont->cidata.FDBytes, NULL); } } |