fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-04-20 07:10:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Check that reads in truetype_reverse_cmap are within valid data

Browse source 
Bulia Byak reported a bug where cairo was crashing with a particular
font. The font had an incorrect entry in the cmap table that caused
cairo to read from outside of the buffer allocated for the cmap.
This commit is contained in:
Adrian Johnson 2008-10-11 23:44:37 +10:30
parent a16ef6ead2
commit 34ff7e4ac4
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/cairo-truetype-subset.c
View file

@ -1220,6 +1220,12 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
goto fail;
num_segments = be16_to_cpu (map->segCountX2)/2;
/* A Format 4 cmap contains 8 uint16_t numbers and 4 arrays of
* uint16_t each num_segments long. */
if (size < (8 + 4*num_segments)*sizeof(uint16_t))
return CAIRO_INT_STATUS_UNSUPPORTED;
end_code = map->endCount;
start_code = &(end_code[num_segments + 1]);
delta = &(start_code[num_segments]);
@ -1246,13 +1252,17 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
uint16_t g_id_be = cpu_to_be16 (index);
int j;
if (range_size > 0)
if (range_size > 0) {
if ((char*)glyph_ids + 2*range_size > (char*)map + size)
return CAIRO_INT_STATUS_UNSUPPORTED;
for (j = 0; j < range_size; j++) {
if (glyph_ids[j] == g_id_be) {
*ucs4 = be16_to_cpu (start_code[i]) + j;
goto found;
}
}
}
}
}