diff options
author | Ethan Vrhel <ethanvrhel@gmail.com> | 2022-08-08 16:07:27 -0700 |
---|---|---|
committer | Ethan Vrhel <ethanvrhel@gmail.com> | 2022-08-10 15:32:45 -0700 |
commit | bfee68bd4724373e41301e22c4d8e66c23a63a1a (patch) | |
tree | 1507bc2de9ec429dd9c17c8003f40b0c485c9955 /xps | |
parent | c97ea3fa01aced952bf7917b31cfc977c9a6d5fc (diff) | |
download | ghostpdl-bfee68bd4724373e41301e22c4d8e66c23a63a1a.tar.gz |
Bug 705630 : XPS interpreter
Fixed and issue in xps_init_postscript_font where a font table would
be outside the range of the buffer as well as no integer overflow
occurs when computing the size of the table.
Diffstat (limited to 'xps')
-rw-r--r-- | xps/xpscff.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/xps/xpscff.c b/xps/xpscff.c index f2d4f26eb..269926c06 100644 --- a/xps/xpscff.c +++ b/xps/xpscff.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -812,6 +812,7 @@ xps_init_postscript_font(xps_context_t *ctx, xps_font_t *font) gs_font_type1 *pt1; int cffofs; int cfflen; + int cffend; int code; /* Find the CFF table and parse it to create a charstring based font */ @@ -822,11 +823,13 @@ xps_init_postscript_font(xps_context_t *ctx, xps_font_t *font) if (cffofs < 0) return gs_throw(-1, "cannot find CFF table"); - if (cfflen < 0 || cffofs + cfflen > font->length) + /* check the table is within the buffer and no integer overflow occurs */ + cffend = cffofs + cfflen; + if (cffend < cffofs || cfflen < 0 || cffend > font->length) return gs_throw(-1, "corrupt CFF table location"); font->cffdata = font->data + cffofs; - font->cffend = font->data + cffofs + cfflen; + font->cffend = font->data + cffend; font->gsubrs = 0; font->subrs = 0; |