diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2021-12-17 10:36:20 +0000 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2021-12-17 11:49:06 +0000 |
commit | cb2b78cddfc67fee13b4bec3f16747f2ec611793 (patch) | |
tree | 08d17c15507bea28180aa75b3a2772990f8da656 /pdf/pdf_cmap.c | |
parent | 82d534f8f69fd4939faf4b7f20df5cc2462973d8 (diff) | |
download | ghostpdl-cb2b78cddfc67fee13b4bec3f16747f2ec611793.tar.gz |
oss-fuzz 42479: Handle badly broken CMaps
In this case, a ToUnicode CMap.
The code was trying to be too liberal in carrying on in the face of broken input
meaning, in this case, array indeces were ending up negative.
In which case, we'll now stop interpreting, and ignore the ToUnicode CMap.
Diffstat (limited to 'pdf/pdf_cmap.c')
-rw-r--r-- | pdf/pdf_cmap.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/pdf/pdf_cmap.c b/pdf/pdf_cmap.c index c06380d08..bc9b6f473 100644 --- a/pdf/pdf_cmap.c +++ b/pdf/pdf_cmap.c @@ -174,6 +174,11 @@ static int general_endcidrange_func(gs_memory_t *mem, pdf_ps_ctx_t *s, pdf_cmap preflen = 1; } + if (stobj[i].size - preflen < 0 || stobj[i + 1].size - preflen < 0) { + (void)pdf_ps_stack_pop(s, to_pop); + return_error(gs_error_syntaxerror); + } + /* Find how many bytes we need for the cidbase value */ /* We always store at least two bytes for the cidbase value */ for (valuelen = 16; valuelen < 32 && (cidbase >> valuelen) > 0; valuelen += 1) |