From d592ee18a9168b1190bc7f7a1426b41fa6d508af Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 29 Jun 2017 11:00:38 +0100
Subject: Bug 698151: XPS: bounds check selecting cmap table.

---
 xps/xpsfont.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

(limited to 'xps')

diff --git a/xps/xpsfont.c b/xps/xpsfont.c
index f65780b99..ddd3950fd 100644
--- a/xps/xpsfont.c
+++ b/xps/xpsfont.c
@@ -293,17 +293,19 @@ xps_load_sfnt_cmap(xps_font_t *font)
     }
 
     cmapdata = font->data + offset;
-
-    nsubtables = u16(cmapdata + 2);
-    if (nsubtables < 0 || length < 4 + nsubtables * 8)
+    if (cmapdata + 4 < font->data + font->length)
     {
-        gs_warn("cannot find cmap sub-tables");
-        return;
-    }
+        nsubtables = u16(cmapdata + 2);
+        if (nsubtables < 0 || length < 4 + nsubtables * 8)
+        {
+            gs_warn("cannot find cmap sub-tables");
+            return;
+        }
 
-    font->cmaptable = offset;
-    font->cmapsubcount = nsubtables;
-    font->cmapsubtable = 0;
+        font->cmaptable = offset;
+        font->cmapsubcount = nsubtables;
+        font->cmapsubtable = 0;
+    }
 }
 
 /*
-- 
cgit v1.2.1