Merge branch 'issue-579' into 'master'

Fix issue 579 Closes #579 See merge request cairo/cairo!340
2026-05-04 23:28:07 +02:00 · 2022-08-02 11:37:58 +00:00 · 2022-08-02 11:37:58 +00:00 · 541719ff75
commit 541719ff75
parent afba396847 53faf76e57
1 changed files with 16 additions and 12 deletions
--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
@ -1442,17 +1442,17 @@ cleanup:
 #define MAX_FONT_NAME_LENGTH 127

 static cairo_status_t
-find_name (tt_name_t *name, int name_id, int platform, int encoding, int language, char **str_out)
+find_name (tt_name_t *name, unsigned long size, int name_id, int platform, int encoding, int language, char **str_out)
 {
    tt_name_record_t *record;
-    int i, len;
+    unsigned int i, len;
    char *str;
    char *p;
    cairo_bool_t has_tag;
    cairo_status_t status;

    str = NULL;
-    for (i = 0; i < be16_to_cpu (name->num_records); i++) {
+    for (i = 0; i < MIN(be16_to_cpu (name->num_records), size / sizeof(name->records[0])); i++) {
        record = &(name->records[i]);
 	if (be16_to_cpu (record->name) == name_id &&
 	    be16_to_cpu (record->platform) == platform &&
@ -1466,14 +1466,18 @@ find_name (tt_name_t *name, int name_id, int platform, int encoding, int languag
 	    if (len > MAX_FONT_NAME_LENGTH)
 		break;

+	    uint16_t offset = be16_to_cpu (name->strings_offset) + be16_to_cpu (record->offset);
+	    if (offset + len > size)
+		return _cairo_error (CAIRO_STATUS_NO_MEMORY);
+
 	    str = _cairo_malloc (len + 1);
 	    if (str == NULL)
 		return _cairo_error (CAIRO_STATUS_NO_MEMORY);

 	    memcpy (str,
-		    ((char*)name) + be16_to_cpu (name->strings_offset) + be16_to_cpu (record->offset),
+		    ((char*)name) + offset,
 		    len);
-	    str[be16_to_cpu (record->length)] = 0;
+	    str[len] = 0;
 	    break;
 	}
    }
@ -1487,7 +1491,7 @@ find_name (tt_name_t *name, int name_id, int platform, int encoding, int languag
 	int size = 0;
 	char *utf8;
 	uint16_t *u = (uint16_t *) str;
-	int u_len = len/2;
+	unsigned int u_len = len/2;

 	for (i = 0; i < u_len; i++)
 	    size += _cairo_ucs4_to_utf8 (be16_to_cpu(u[i]), NULL);
@ -1585,35 +1589,35 @@ _cairo_truetype_read_font_name (cairo_scaled_font_t  	 *scaled_font,

    /* Find PS Name (name_id = 6). OT spec says PS name must be one of
     * the following two encodings */
-    status = find_name (name, 6, 3, 1, 0x409, &ps_name); /* win, unicode, english-us */
+    status = find_name (name, size, 6, 3, 1, 0x409, &ps_name); /* win, unicode, english-us */
    if (unlikely(status))
 	goto fail;

    if (!ps_name) {
-	status = find_name (name, 6, 1, 0, 0, &ps_name); /* mac, roman, english */
+	status = find_name (name, size, 6, 1, 0, 0, &ps_name); /* mac, roman, english */
 	if (unlikely(status))
 	    goto fail;
    }

    /* Find Family name (name_id = 1) */
-    status = find_name (name, 1, 3, 1, 0x409, &family_name); /* win, unicode, english-us */
+    status = find_name (name, size, 1, 3, 1, 0x409, &family_name); /* win, unicode, english-us */
    if (unlikely(status))
 	goto fail;

    if (!family_name) {
-	status = find_name (name, 1, 3, 0, 0x409, &family_name); /* win, symbol, english-us */
+	status = find_name (name, size, 1, 3, 0, 0x409, &family_name); /* win, symbol, english-us */
 	if (unlikely(status))
 	    goto fail;
    }

    if (!family_name) {
-	status = find_name (name, 1, 1, 0, 0, &family_name); /* mac, roman, english */
+	status = find_name (name, size, 1, 1, 0, 0, &family_name); /* mac, roman, english */
 	if (unlikely(status))
 	    goto fail;
    }

    if (!family_name) {
-	status = find_name (name, 1, 3, 1, -1, &family_name); /* win, unicode, any language */
+	status = find_name (name, size, 1, 3, 1, -1, &family_name); /* win, unicode, any language */
 	if (unlikely(status))
 	    goto fail;
    }