GhostPDF - avoid 32-bit overflow checking size of table

OSS-fuzz #57880 toffs was fuzzed to be very nearly 2^32-1 and when the (valid) tlen was added to it, the result overflowed a 32-bit value, evading the existing check to ensure the table was entirely contained in the buffer of data. Simply promote the 32-bit variables to 64-bit before performing the arithmetic and the check. fbuflen is already a 64-bit value.
author: Ken Sharp <ken.sharp@artifex.com> 2023-04-11 09:49:52 +0100
committer: Ken Sharp <ken.sharp@artifex.com> 2023-04-11 09:49:52 +0100
commit: acaa21f68ede3ae8fca48136fa95ee32de6533b2 (patch)
tree: b2933ca03357d0f76e7c26a085af6e97053066df
parent: 91943811904f562b101b0ac410da60974b4186f2 (diff)
download: ghostpdl-acaa21f68ede3ae8fca48136fa95ee32de6533b2.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/pdf/pdf_font1C.c b/pdf/pdf_font1C.c
index 0974905d9..e688de4ba 100644
--- a/pdf/pdf_font1C.c
+++ b/pdf/pdf_font1C.c
@@ -2263,7 +2263,11 @@ pdfi_read_cff_font(pdf_context *ctx, pdf_dict *font_dict, pdf_dict *stream_dict,
                 break;
             }
         }
-        if (toffs == 0 || tlen == 0 || toffs + tlen > fbuflen) {
+        /* Sanity check the offset and size of the CFF table and make sure the declared
+         * size and position fits inside the data we have. Promote the 32-bit variables to
+         * 64-bit to avoid overflow calculating the end of the table.
+         */
+        if (toffs == 0 || tlen == 0 || (uint64_t)toffs + (uint64_t)tlen > fbuflen) {
             gs_free_object(ctx->memory, pfbuf, "pdfi_read_cff_font(fbuf)");
             return_error(gs_error_invalidfont);
         }
author	Ken Sharp <ken.sharp@artifex.com>	2023-04-11 09:49:52 +0100
committer	Ken Sharp <ken.sharp@artifex.com>	2023-04-11 09:49:52 +0100
commit	acaa21f68ede3ae8fca48136fa95ee32de6533b2 (patch)
tree	b2933ca03357d0f76e7c26a085af6e97053066df
parent	91943811904f562b101b0ac410da60974b4186f2 (diff)
download	ghostpdl-acaa21f68ede3ae8fca48136fa95ee32de6533b2.tar.gz