Bug 698025: validate offsets reading TTF name table in xps

author: Chris Liddell <chris.liddell@artifex.com> 2017-06-12 12:59:38 +0100
committer: Chris Liddell <chris.liddell@artifex.com> 2017-06-12 18:00:21 +0100
commit: d2ab84732936b6e7e5a461dc94344902965e9a06 (patch)
tree: ae2ecdb115324bbd415399ec85c4d6ca70ebe569 /xps/xpsfont.c
parent: f6507e828ddfe1f60645bc925bff9bedfdb306ce (diff)
download: ghostpdl-d2ab84732936b6e7e5a461dc94344902965e9a06.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/xps/xpsfont.c b/xps/xpsfont.c
index 62c00db31..fa68e8281 100644
--- a/xps/xpsfont.c
+++ b/xps/xpsfont.c
@@ -182,12 +182,27 @@ xps_load_sfnt_name(xps_font_t *font, char *namep)
         return;
     }
 
+    /* validate the offset, and the data for the two
+     * values we're about to read
+     */
+    if (offset + 6 > font->length)
+    {
+        gs_warn("name table byte offset invalid");
+        return;
+    }
     namedata = font->data + offset;
 
     /*format = u16(namedata + 0);*/
     count = u16(namedata + 2);
     stringoffset = u16(namedata + 4);
 
+    if (stringoffset + offset > font->length
+        || offset + 6 + count * 12 > font->length)
+    {
+        gs_warn("name table invalid");
+        return;
+    }
+
     if (length < 6 + (count * 12))
     {
         gs_warn("name table too short");
author	Chris Liddell <chris.liddell@artifex.com>	2017-06-12 12:59:38 +0100
committer	Chris Liddell <chris.liddell@artifex.com>	2017-06-12 18:00:21 +0100
commit	d2ab84732936b6e7e5a461dc94344902965e9a06 (patch)
tree	ae2ecdb115324bbd415399ec85c4d6ca70ebe569 /xps/xpsfont.c
parent	f6507e828ddfe1f60645bc925bff9bedfdb306ce (diff)
download	ghostpdl-d2ab84732936b6e7e5a461dc94344902965e9a06.tar.gz