diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2023-04-11 09:49:52 +0100 |
---|---|---|
committer | Ken Sharp <ken.sharp@artifex.com> | 2023-04-11 09:49:52 +0100 |
commit | acaa21f68ede3ae8fca48136fa95ee32de6533b2 (patch) | |
tree | b2933ca03357d0f76e7c26a085af6e97053066df | |
parent | 91943811904f562b101b0ac410da60974b4186f2 (diff) | |
download | ghostpdl-acaa21f68ede3ae8fca48136fa95ee32de6533b2.tar.gz |
GhostPDF - avoid 32-bit overflow checking size of table
OSS-fuzz #57880
toffs was fuzzed to be very nearly 2^32-1 and when the (valid) tlen was
added to it, the result overflowed a 32-bit value, evading the existing
check to ensure the table was entirely contained in the buffer of data.
Simply promote the 32-bit variables to 64-bit before performing the
arithmetic and the check. fbuflen is already a 64-bit value.
-rw-r--r-- | pdf/pdf_font1C.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/pdf/pdf_font1C.c b/pdf/pdf_font1C.c index 0974905d9..e688de4ba 100644 --- a/pdf/pdf_font1C.c +++ b/pdf/pdf_font1C.c @@ -2263,7 +2263,11 @@ pdfi_read_cff_font(pdf_context *ctx, pdf_dict *font_dict, pdf_dict *stream_dict, break; } } - if (toffs == 0 || tlen == 0 || toffs + tlen > fbuflen) { + /* Sanity check the offset and size of the CFF table and make sure the declared + * size and position fits inside the data we have. Promote the 32-bit variables to + * 64-bit to avoid overflow calculating the end of the table. + */ + if (toffs == 0 || tlen == 0 || (uint64_t)toffs + (uint64_t)tlen > fbuflen) { gs_free_object(ctx->memory, pfbuf, "pdfi_read_cff_font(fbuf)"); return_error(gs_error_invalidfont); } |