[cairo-commit] 2 commits - src/cairo-cff-subset.c
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Mon Jan 11 19:41:26 UTC 2021
src/cairo-cff-subset.c | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit 891468f191cccc80b8e491318e0646a7fffa22bf
Merge: 21db0989d b1e81ee98
Author: Heiko Lewin <hlewin at gmx.de>
Date: Mon Jan 11 19:41:24 2021 +0000
Merge branch 'font-parse-oob' into 'master'
Add a bounds check to cairo_cff_font_read_fdselect()
Closes #451
See merge request cairo/cairo!103
commit b1e81ee98f532a7606e451c55033e42c5bfb517c
Author: Uli Schlachter <psychon at znc.in>
Date: Wed Jan 6 10:38:42 2021 +0100
Add a bounds check to cairo_cff_font_read_fdselect()
The code in cairo-cff-subset.c parses a binary format without seeming to
bother much with verifying the data. The result is that poppler can be
used to cause an out-of-bounds write in cairo_cff_font_read_fdselect()
via a crafted font file. Fix this by adding the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/451
Signed-off-by: Uli Schlachter <psychon at znc.in>
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index f85190f77..d536f25c9 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -991,6 +991,8 @@ cairo_cff_font_read_fdselect (cairo_cff_font_t *font, unsigned char *p)
p += 2;
fd = *p++;
last = get_unaligned_be16 (p);
+ if (last > font->num_glyphs)
+ return CAIRO_INT_STATUS_UNSUPPORTED;
for (j = first; j < last; j++)
font->fdselect[j] = fd;
}
More information about the cairo-commit
mailing list