From 899e6a89f7efd34e190938a3822caa55f67c086e Mon Sep 17 00:00:00 2001 From: Jonathan Kew Date: Sun, 12 Apr 2026 14:10:25 +0000 Subject: [PATCH] [cff-subset] check subrs offset is within font data --- src/cairo-cff-subset.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index 8a7de0065..5a54c091a 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -930,6 +930,8 @@ cairo_cff_font_read_private_dict (cairo_cff_font_t *font, if (operand) { decode_integer (operand, &offset); p = ptr + offset; + if (unlikely (p < font->data || p > font->data_end)) + return CAIRO_INT_STATUS_UNSUPPORTED; status = cff_index_read (local_sub_index, &p, font->data_end); if (unlikely (status)) return status;