Add a bounds check to cairo_cff_parse_charstring()

The code in cairo-cff-subset.c parses a binary font format without seeming to bother much verifying the data. The result is that poppler can be used to cause an out-of-bounds access in cairo_cff_parse_charstring() via a crafted font file. Fix this by adding the needed length check. The other code in the file also contains lots of similar things. Since I cannot really fix everything properly, I'll just fix the one instance that was found by a fuzzer. No testcase is added, because this depends on a broken font that is quite large. Adding something this big to the test suite does not seem sensible. Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/444 Signed-off-by: Uli Schlachter <psychon@znc.in>
2026-01-08 06:00:21 +01:00 · 2020-12-25 16:09:19 +01:00 · 2020-12-25 16:09:19 +01:00 · 467e7822a9
commit 467e7822a9
parent 979382dd30
1 changed files with 2 additions and 0 deletions
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@ -1604,6 +1604,8 @@ cairo_cff_parse_charstring (cairo_cff_font_t *font,
 		}
            } else {
                sub_num = font->type2_stack_top_value + font->local_sub_bias;
+		if (sub_num >= _cairo_array_num_elements(&font->local_sub_index))
+		    return CAIRO_INT_STATUS_UNSUPPORTED;
                element = _cairo_array_index (&font->local_sub_index, sub_num);
                if (! font->local_subs_used[sub_num] ||
 		    (need_width && !font->type2_found_width))