Bug 705608 : XPS interpreter

Fixed a buffer overread in xps_find_sfnt_table. Function now checks to make sure the font's buffer is long enough for the number of subfonts it reports.
author: Ethan Vrhel <ethanvrhel@gmail.com> 2022-07-18 17:47:15 -0700
committer: Ethan Vrhel <ethanvrhel@gmail.com> 2022-07-20 14:30:41 -0700
commit: 7642e51271eafd012a80722b5f82226188de90a2 (patch)
tree: a1241ae735653b549e2a57eb42d02d809f49d470 /xps
parent: d2cacbed7189cc1ae96bf21a93c3d59200be6b22 (diff)
download: ghostpdl-7642e51271eafd012a80722b5f82226188de90a2.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/xps/xpsfont.c b/xps/xpsfont.c
index f10c7d995..410c85c6e 100644
--- a/xps/xpsfont.c
+++ b/xps/xpsfont.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2021 Artifex Software, Inc.
+/* Copyright (C) 2001-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -132,6 +132,15 @@ xps_find_sfnt_table(xps_font_t *font, const char *name, int *lengthp)
     if (!memcmp(font->data, "ttcf", 4))
     {
         int nfonts = u32(font->data + 8);
+
+        /* check if the buffer contains enough data to contain nfonts subfonts */
+        int min_len = 12 + nfonts * 4;
+        if (min_len < font->length)
+        {
+            gs_warn("font data length too small");
+            return -1;
+        }
+
         if (font->subfontid < 0 || font->subfontid >= nfonts)
         {
             gs_warn("Invalid subfont ID");
author	Ethan Vrhel <ethanvrhel@gmail.com>	2022-07-18 17:47:15 -0700
committer	Ethan Vrhel <ethanvrhel@gmail.com>	2022-07-20 14:30:41 -0700
commit	7642e51271eafd012a80722b5f82226188de90a2 (patch)
tree	a1241ae735653b549e2a57eb42d02d809f49d470 /xps
parent	d2cacbed7189cc1ae96bf21a93c3d59200be6b22 (diff)
download	ghostpdl-7642e51271eafd012a80722b5f82226188de90a2.tar.gz