diff options
| author | Michael Vrhel <michael.vrhel@artifex.com> | 2023-01-09 21:33:12 -0800 |
|---|---|---|
| committer | Michael Vrhel <michael.vrhel@artifex.com> | 2023-01-10 08:57:39 -0800 |
| commit | 1c2ba240477698cb3d7014aac836ff27c6da3b80 (patch) | |
| tree | 2a2cc8343b781df52cde3dc98bb95aee1c6be704 /xps | |
| parent | d0850f5dffb68f433104a6bc8cc5eec3648450e0 (diff) | |
| download | ghostpdl-1c2ba240477698cb3d7014aac836ff27c6da3b80.tar.gz | |
Bug 705989 Error checking in xpsfont.c
Ensure we don't access beyond the font->data size
Diffstat (limited to 'xps')
| -rw-r--r-- | xps/xpsfont.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/xps/xpsfont.c b/xps/xpsfont.c index 61fa7a015..e6b4da5e2 100644 --- a/xps/xpsfont.c +++ b/xps/xpsfont.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2022 Artifex Software, Inc. +/* Copyright (C) 2001-2023 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -147,16 +147,29 @@ xps_find_sfnt_table(xps_font_t *font, const char *name, int *lengthp) return -1; } offset = u32(font->data + 12 + font->subfontid * 4); + if (offset < 0) + { + gs_warn("subfont table offset negative"); + return -1; + } } else { offset = 0; } + if (font->length < offset + 6) + { + gs_warn("subfont length insufficient for ntables read"); + return -1; + + } ntables = u16(font->data + offset + 4); if (font->length < offset + 12 + ntables * 16) + { + gs_warn("subfont length insufficient for entry reads"); return -1; - + } for (i = 0; i < ntables; i++) { byte *entry = font->data + offset + 12 + i * 16; |