diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2017-06-12 12:59:38 +0100 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2017-06-12 18:00:21 +0100 |
commit | d2ab84732936b6e7e5a461dc94344902965e9a06 (patch) | |
tree | ae2ecdb115324bbd415399ec85c4d6ca70ebe569 /xps/xpsfont.c | |
parent | f6507e828ddfe1f60645bc925bff9bedfdb306ce (diff) | |
download | ghostpdl-d2ab84732936b6e7e5a461dc94344902965e9a06.tar.gz |
Bug 698025: validate offsets reading TTF name table in xps
Diffstat (limited to 'xps/xpsfont.c')
-rw-r--r-- | xps/xpsfont.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/xps/xpsfont.c b/xps/xpsfont.c index 62c00db31..fa68e8281 100644 --- a/xps/xpsfont.c +++ b/xps/xpsfont.c @@ -182,12 +182,27 @@ xps_load_sfnt_name(xps_font_t *font, char *namep) return; } + /* validate the offset, and the data for the two + * values we're about to read + */ + if (offset + 6 > font->length) + { + gs_warn("name table byte offset invalid"); + return; + } namedata = font->data + offset; /*format = u16(namedata + 0);*/ count = u16(namedata + 2); stringoffset = u16(namedata + 4); + if (stringoffset + offset > font->length + || offset + 6 + count * 12 > font->length) + { + gs_warn("name table invalid"); + return; + } + if (length < 6 + (count * 12)) { gs_warn("name table too short"); |