From 899e6a89f7efd34e190938a3822caa55f67c086e Mon Sep 17 00:00:00 2001 From: Jonathan Kew Date: Sun, 12 Apr 2026 14:10:25 +0000 Subject: [PATCH 1/2] [cff-subset] check subrs offset is within font data --- src/cairo-cff-subset.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index 8a7de0065..5a54c091a 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -930,6 +930,8 @@ cairo_cff_font_read_private_dict (cairo_cff_font_t *font, if (operand) { decode_integer (operand, &offset); p = ptr + offset; + if (unlikely (p < font->data || p > font->data_end)) + return CAIRO_INT_STATUS_UNSUPPORTED; status = cff_index_read (local_sub_index, &p, font->data_end); if (unlikely (status)) return status; From d80b44afa46aa23b47331819b77d55ea5c59f570 Mon Sep 17 00:00:00 2001 From: Jonathan Kew Date: Sun, 19 Apr 2026 13:01:56 +0100 Subject: [PATCH 2/2] Range-check FDSelect value during CFF subsetting. --- src/cairo-cff-subset.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index 5a54c091a..a725c726d 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -1876,6 +1876,10 @@ cairo_cff_font_subset_fontdict (cairo_cff_font_t *font) } fd = font->fdselect[gid]; + if (fd < 0 || (unsigned int) fd >= font->num_fontdicts) { + free (reverse_map); + return CAIRO_INT_STATUS_UNSUPPORTED; + } if (reverse_map[fd] < 0) { font->fd_subset_map[font->num_subset_fontdicts] = fd; reverse_map[fd] = font->num_subset_fontdicts++;