diff options
author | Michael Vrhel <michael.vrhel@artifex.com> | 2023-02-13 11:45:37 -0800 |
---|---|---|
committer | Michael Vrhel <michael.vrhel@artifex.com> | 2023-02-13 11:45:37 -0800 |
commit | 534eb8dd5042c442f079e3f750ac0126b6445a3e (patch) | |
tree | f9c3295b7d86fb563ad06475e9221ca9523a531c /xps | |
parent | 9e79b6b270bfbe54a4cfee706fba98f76848a149 (diff) | |
download | ghostpdl-534eb8dd5042c442f079e3f750ac0126b6445a3e.tar.gz |
Bug 705772 XPS CFF dict boundary read
The actual file supplied gets caught earlier by other checks, but just adding
this for one more level of security.
Diffstat (limited to 'xps')
-rw-r--r-- | xps/xpscff.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/xps/xpscff.c b/xps/xpscff.c index 0978d80de..216905283 100644 --- a/xps/xpscff.c +++ b/xps/xpscff.c @@ -215,6 +215,8 @@ xps_read_cff_dict(byte *p, byte *e, xps_font_t *font, gs_font_type1 *pt1) return gs_throw(-1, "corrupt cff file offset"); privatelen = args[0].ival; privateofs = args[1].ival; + if ((font->cffdata + privateofs + privatelen) > font->cffend) + return gs_throw(-1, "corrupt cff file offset"); } if (b0 == 19) |