diff options
-rw-r--r-- | xps/xpsfont.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/xps/xpsfont.c b/xps/xpsfont.c index 6894bfb78..62c00db31 100644 --- a/xps/xpsfont.c +++ b/xps/xpsfont.c @@ -459,6 +459,10 @@ xps_decode_font_char_imp(xps_font_t *font, int code) case 0: /* Apple standard 1-to-1 mapping. */ { int i, length = u16(&table[2]) - 6; + + if (length < 0 || length > 256) + return gs_error_invalidfont; + for (i=0;i<length;i++) { if (table[6 + i] == code) return i; @@ -474,6 +478,9 @@ xps_decode_font_char_imp(xps_font_t *font, int code) byte *idRangeOffset = idDelta + segCount2; int i2; + if (segCount2 < 3 || segCount2 > 65535) + return gs_error_invalidfont; + for (i2 = 0; i2 < segCount2 - 3; i2 += 2) { int delta = s16(idDelta + i2), roff = s16(idRangeOffset + i2); @@ -481,6 +488,9 @@ xps_decode_font_char_imp(xps_font_t *font, int code) int end = u16(endCount + i2); int glyph, i; + if (end < start) + return gs_error_invalidfont; + for (i=start;i<=end;i++) { if (roff == 0) { glyph = (i + delta) & 0xffff; @@ -498,6 +508,10 @@ xps_decode_font_char_imp(xps_font_t *font, int code) { int ch, i, length = u16(&table[8]); int firstCode = u16(&table[6]); + + if (length < 0 || length > 65535) + return gs_error_invalidfont; + for (i=0;i<length;i++) { ch = u16(&table[10 + (i * 2)]); if (ch == code) @@ -507,7 +521,7 @@ xps_decode_font_char_imp(xps_font_t *font, int code) return 0; case 10: /* Trimmed array (like 6) */ { - int ch, i, length = u32(&table[20]); + unsigned int ch, i, length = u32(&table[20]); int firstCode = u32(&table[16]); for (i=0;i<length;i++) { ch = u16(&table[10 + (i * 2)]); @@ -518,7 +532,7 @@ xps_decode_font_char_imp(xps_font_t *font, int code) return 0; case 12: /* Segmented coverage. (like 4) */ { - int nGroups = u32(&table[12]); + unsigned int nGroups = u32(&table[12]); int Group; for (Group=0;Group<nGroups;Group++) |