oss-fuzz 42479: Handle badly broken CMaps

In this case, a ToUnicode CMap. The code was trying to be too liberal in carrying on in the face of broken input meaning, in this case, array indeces were ending up negative. In which case, we'll now stop interpreting, and ignore the ToUnicode CMap.
author: Chris Liddell <chris.liddell@artifex.com> 2021-12-17 10:36:20 +0000
committer: Chris Liddell <chris.liddell@artifex.com> 2021-12-17 11:49:06 +0000
commit: cb2b78cddfc67fee13b4bec3f16747f2ec611793 (patch)
tree: 08d17c15507bea28180aa75b3a2772990f8da656 /pdf/pdf_cmap.c
parent: 82d534f8f69fd4939faf4b7f20df5cc2462973d8 (diff)
download: ghostpdl-cb2b78cddfc67fee13b4bec3f16747f2ec611793.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/pdf/pdf_cmap.c b/pdf/pdf_cmap.c
index c06380d08..bc9b6f473 100644
--- a/pdf/pdf_cmap.c
+++ b/pdf/pdf_cmap.c
@@ -174,6 +174,11 @@ static int general_endcidrange_func(gs_memory_t *mem, pdf_ps_ctx_t *s, pdf_cmap
                 preflen = 1;
             }
 
+            if (stobj[i].size - preflen < 0 || stobj[i + 1].size - preflen < 0) {
+                (void)pdf_ps_stack_pop(s, to_pop);
+                return_error(gs_error_syntaxerror);
+            }
+
             /* Find how many bytes we need for the cidbase value */
             /* We always store at least two bytes for the cidbase value */
             for (valuelen = 16; valuelen < 32 && (cidbase >> valuelen) > 0; valuelen += 1)
author	Chris Liddell <chris.liddell@artifex.com>	2021-12-17 10:36:20 +0000
committer	Chris Liddell <chris.liddell@artifex.com>	2021-12-17 11:49:06 +0000
commit	cb2b78cddfc67fee13b4bec3f16747f2ec611793 (patch)
tree	08d17c15507bea28180aa75b3a2772990f8da656 /pdf/pdf_cmap.c
parent	82d534f8f69fd4939faf4b7f20df5cc2462973d8 (diff)
download	ghostpdl-cb2b78cddfc67fee13b4bec3f16747f2ec611793.tar.gz