diff options
| author | Michael Vrhel <michael.vrhel@artifex.com> | 2023-01-18 14:23:02 -0800 |
|---|---|---|
| committer | Michael Vrhel <michael.vrhel@artifex.com> | 2023-01-18 14:23:02 -0800 |
| commit | 6860f08f96d14bdc9e8d477f16c965de2533d07c (patch) | |
| tree | 4df0d9ccc7739bf57587892684bb3d7c095f4645 /xps | |
| parent | 9c7cb870fa7d52369fb2d2fcf37eac3401c4f277 (diff) | |
| download | ghostpdl-6860f08f96d14bdc9e8d477f16c965de2533d07c.tar.gz | |
Bug 705772 XPS Ensure cff pointer offsets are not negative
Diffstat (limited to 'xps')
| -rw-r--r-- | xps/xpscff.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xps/xpscff.c b/xps/xpscff.c index 8d9f6367b..0978d80de 100644 --- a/xps/xpscff.c +++ b/xps/xpscff.c @@ -204,17 +204,23 @@ xps_read_cff_dict(byte *p, byte *e, xps_font_t *font, gs_font_type1 *pt1) if (b0 == 17) { + if (args[0].ival < 0) + return gs_throw(-1, "corrupt cff file offset"); font->charstrings = font->cffdata + args[0].ival; } if (b0 == 18) { + if (args[0].ival < 0 || args[1].ival < 0) + return gs_throw(-1, "corrupt cff file offset"); privatelen = args[0].ival; privateofs = args[1].ival; } if (b0 == 19) { + if (args[0].ival < 0) + return gs_throw(-1, "corrupt cff file offset"); font->subrs = font->cffdata + offset + args[0].ival; } |