truetype: check cmap size before allocating memory

Fixes #264
2026-05-08 07:58:02 +02:00 · 2021-07-23 18:32:44 +09:30 · 2021-07-23 18:32:44 +09:30 · ae04679a08
commit ae04679a08
parent e5e63a0462
1 changed files with 4 additions and 0 deletions
--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
@ -1297,6 +1297,10 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
 	return CAIRO_INT_STATUS_UNSUPPORTED;

    size = be16_to_cpu (map_header.length);
+    /* minimum table size is 24 bytes */
+    if (size < 24)
+	return CAIRO_INT_STATUS_UNSUPPORTED;
+
    map = _cairo_malloc (size);
    if (unlikely (map == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);