[cairo-commit] 2 commits - src/cairo-cff-subset.c
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Mon Jan 4 14:41:14 UTC 2021
src/cairo-cff-subset.c | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit ed7e51eb410da324258acf5ae34f0c90dd16d2e8
Merge: b0ef04e2d 467e7822a
Author: Heiko Lewin <hlewin at gmx.de>
Date: Mon Jan 4 14:41:12 2021 +0000
Merge branch 'font-oob' into 'master'
Add a bounds check to cairo_cff_parse_charstring()
Closes #444
See merge request cairo/cairo!90
commit 467e7822a975fa3ed740144cd849ab596ab30118
Author: Uli Schlachter <psychon at znc.in>
Date: Fri Dec 25 16:09:19 2020 +0100
Add a bounds check to cairo_cff_parse_charstring()
The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/444
Signed-off-by: Uli Schlachter <psychon at znc.in>
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index fce4195e9..f85190f77 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1604,6 +1604,8 @@ cairo_cff_parse_charstring (cairo_cff_font_t *font,
}
} else {
sub_num = font->type2_stack_top_value + font->local_sub_bias;
+ if (sub_num >= _cairo_array_num_elements(&font->local_sub_index))
+ return CAIRO_INT_STATUS_UNSUPPORTED;
element = _cairo_array_index (&font->local_sub_index, sub_num);
if (! font->local_subs_used[sub_num] ||
(need_width && !font->type2_found_width))
More information about the cairo-commit
mailing list