Bug 705772 XPS CFF dict boundary read

The actual file supplied gets caught earlier by other checks, but just adding this for one more level of security.
author: Michael Vrhel <michael.vrhel@artifex.com> 2023-02-13 11:45:37 -0800
committer: Michael Vrhel <michael.vrhel@artifex.com> 2023-02-13 11:45:37 -0800
commit: 534eb8dd5042c442f079e3f750ac0126b6445a3e (patch)
tree: f9c3295b7d86fb563ad06475e9221ca9523a531c /xps
parent: 9e79b6b270bfbe54a4cfee706fba98f76848a149 (diff)
download: ghostpdl-534eb8dd5042c442f079e3f750ac0126b6445a3e.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/xps/xpscff.c b/xps/xpscff.c
index 0978d80de..216905283 100644
--- a/xps/xpscff.c
+++ b/xps/xpscff.c
@@ -215,6 +215,8 @@ xps_read_cff_dict(byte *p, byte *e, xps_font_t *font, gs_font_type1 *pt1)
                     return gs_throw(-1, "corrupt cff file offset");
                 privatelen = args[0].ival;
                 privateofs = args[1].ival;
+                if ((font->cffdata + privateofs + privatelen) > font->cffend)
+                    return gs_throw(-1, "corrupt cff file offset");
             }
 
             if (b0 == 19)
author	Michael Vrhel <michael.vrhel@artifex.com>	2023-02-13 11:45:37 -0800
committer	Michael Vrhel <michael.vrhel@artifex.com>	2023-02-13 11:45:37 -0800
commit	534eb8dd5042c442f079e3f750ac0126b6445a3e (patch)
tree	f9c3295b7d86fb563ad06475e9221ca9523a531c /xps
parent	9e79b6b270bfbe54a4cfee706fba98f76848a149 (diff)
download	ghostpdl-534eb8dd5042c442f079e3f750ac0126b6445a3e.tar.gz