From 3dab3b466b2ed956875386f0675a37448cc5faba Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Thu, 4 May 2023 13:25:54 +0100 Subject: GhostPDF, pdfwrite, graphics library - fix WMode usage OSS-fuzz #58582 The fundamental problem here is that pdfwrite was assuming that the font WMode could only ever be 0 or 1 (the only two valid values) and so was using it as a bitfield, shifting and OR'ing it with other values. The file in this case has a CMap which contains : /WMode 8883123282518010140455180910294889 def Which gets clamped to the maximum unsigned integer 0x7fffff This led to a non-zero value in the flags to the glyph info code, when the value *should* have been 0, which caused the graphics library to take a code path which wasn't valid. This led to us trying to use a member of a structure whose pointer was NULL. I can't be certain whether other places in the code use WMode in the same way, so I've chosen to fix this at several levels. Firstly, in the code path we shouldn't reach (gs_type42_glyph_info_by_gid) check the value of pmat before calling gs_default_glyph_info. That code will try to use the matrix to scale the outline, so if it is NULL then the result is undefined. This prevents the seg fault. Secondly, in gdevpdtc.c, scan_cmap_text(), set wmode to be either 0 or 1, to ensure that it does work as a bit, rather than using the integer value from the font and assuming it will be 0 or 1. Finally in the three places in the PDF interpreter where we set the WMode for the font, check to see if the value is either 0 or 1 and if it is not, raise a warning and make it 0 or 1. --- base/gstype42.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'base') diff --git a/base/gstype42.c b/base/gstype42.c index 4525744ae..b6f106820 100644 --- a/base/gstype42.c +++ b/base/gstype42.c @@ -1385,6 +1385,9 @@ gs_type42_glyph_info_by_gid(gs_font *font, gs_glyph glyph, const gs_matrix *pmat outline.memory = pfont->memory; if (default_members) { + if (pmat == NULL) + return gs_note_error(gs_error_undefinedresult); + code = gs_default_glyph_info(font, glyph, pmat, default_members, info); if (code < 0) -- cgit v1.2.1