diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2022-07-04 14:14:09 +0100 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2022-07-05 10:50:31 +0100 |
commit | cf5e0668ddedadb0496587103dadfc9b1c90b3e9 (patch) | |
tree | 391c833586392e9fdc079c58ab5b63a1622d741c | |
parent | e950d1fa30cda37cae4cc0553a4d24135fc09695 (diff) | |
download | ghostpdl-cf5e0668ddedadb0496587103dadfc9b1c90b3e9.tar.gz |
oss-fuzz 48437: Add bounds check on size of loca table data
The test case has a TTF that the loca size has been set to an enormous value.
While the loca size is a 32 bit unsigned number (so the value in question is
"valid") it should follow a specific relationship with the number of glyphs
that the font contains, and that is a an unsigned 16 bit value.
So, we can sanity check the size of the loca table based on that condition.
This may or may not solve the oss-fuzz timeout, but it does improve things
considerably.
-rw-r--r-- | base/gstype42.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/base/gstype42.c b/base/gstype42.c index 3cc922136..1c2b530a2 100644 --- a/base/gstype42.c +++ b/base/gstype42.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -269,8 +269,13 @@ gs_type42_font_init(gs_font_type42 * pfont, int subfontID) pfont->data.os2_offset = offset; } } - loca_size >>= pfont->data.indexToLocFormat + 1; + loca_size >>= (pfont->data.indexToLocFormat == 0 ? 1 : 2); pfont->data.numGlyphs = loca_size - 1; + if (pfont->data.numGlyphs > 65535) { + pfont->data.numGlyphs = 65535; + loca_size = (65536 << (pfont->data.indexToLocFormat == 0 ? 1 : 2)); + } + if (pfont->data.numGlyphs > (int)pfont->data.trueNumGlyphs) { /* pfont->key_name.chars is ASCIIZ due to copy_font_name. */ char buf[gs_font_name_max + 2]; |