Bug 698064: bounds check xps_encode/decode_font_char_imp

author: Chris Liddell <chris.liddell@artifex.com> 2017-06-16 08:50:43 +0100
committer: Chris Liddell <chris.liddell@artifex.com> 2017-06-16 09:11:57 +0100
commit: 961b10cdd71403072fb99401a45f3bef6ce53626 (patch)
tree: 0852f0ac56799e93d735940d847541fb29e48fe3 /xps
parent: c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 (diff)
download: ghostpdl-961b10cdd71403072fb99401a45f3bef6ce53626.tar.gz
1 files changed, 19 insertions, 5 deletions
diff --git a/xps/xpsfont.c b/xps/xpsfont.c
index 7ae7d2239..83362d768 100644
--- a/xps/xpsfont.c
+++ b/xps/xpsfont.c
@@ -379,9 +379,14 @@ xps_encode_font_char_imp(xps_font_t *font, int code)
             byte *startCount = endCount + segCount2 + 2;
             byte *idDelta = startCount + segCount2;
             byte *idRangeOffset = idDelta + segCount2;
+            byte *giddata;
             int i2;
 
-            for (i2 = 0; i2 < segCount2 - 3; i2 += 2)
+            if (segCount2 < 3 || segCount2 > 65535 ||
+               idRangeOffset > font->data + font->length)
+               return gs_error_invalidfont;
+
+           for (i2 = 0; i2 < segCount2 - 3; i2 += 2)
             {
                 int delta, roff;
                 int start = u16(startCount + i2);
@@ -396,9 +401,12 @@ xps_encode_font_char_imp(xps_font_t *font, int code)
                 if ( roff == 0 )
                 {
                     return ( code + delta ) & 0xffff; /* mod 65536 */
-                    return 0;
                 }
-                glyph = u16(idRangeOffset + i2 + roff + ((code - start) << 1));
+                if ((giddata = (idRangeOffset + i2 + roff + ((code - start) << 1))) >
+                    font->data + font->length) {
+                    return code;
+                }
+                glyph = u16(giddata);
                 return (glyph == 0 ? 0 : glyph + delta);
             }
 
@@ -498,9 +506,11 @@ xps_decode_font_char_imp(xps_font_t *font, int code)
                 byte *startCount = endCount + segCount2 + 2;
                 byte *idDelta = startCount + segCount2;
                 byte *idRangeOffset = idDelta + segCount2;
+                byte *giddata;
                 int i2;
 
-                if (segCount2 < 3 || segCount2 > 65535)
+                if (segCount2 < 3 || segCount2 > 65535 ||
+                    idRangeOffset > font->data + font->length)
                     return gs_error_invalidfont;
 
                 for (i2 = 0; i2 < segCount2 - 3; i2 += 2)
@@ -517,7 +527,11 @@ xps_decode_font_char_imp(xps_font_t *font, int code)
                         if (roff == 0) {
                             glyph = (i + delta) & 0xffff;
                         } else {
-                            glyph = u16(idRangeOffset + i2 + roff + ((i - start) << 1));
+                            if ((giddata = (idRangeOffset + i2 + roff + ((i - start) << 1))) >
+                                 font->data + font->length) {
+                                return_error(gs_error_invalidfont);
+                            }
+                            glyph = u16(giddata);
                         }
                         if (glyph == code) {
                             return i;
author	Chris Liddell <chris.liddell@artifex.com>	2017-06-16 08:50:43 +0100
committer	Chris Liddell <chris.liddell@artifex.com>	2017-06-16 09:11:57 +0100
commit	961b10cdd71403072fb99401a45f3bef6ce53626 (patch)
tree	0852f0ac56799e93d735940d847541fb29e48fe3 /xps
parent	c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 (diff)
download	ghostpdl-961b10cdd71403072fb99401a45f3bef6ce53626.tar.gz