Source code
Revision control
Copy as Markdown
Other Tools
From a6e6e2ce22aa4a68ab816427ec765a107dd44673 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
Date: Sat, 13 Jun 2026 16:44:33 +0200
Subject: [PATCH 2/3] [cff-subset] Add some missing bounds checks to
cairo_cff_font_read_fdselect.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Emilio Cobos Álvarez <emilio@crisal.io>
---
src/cairo-cff-subset.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 61ca4c459..64a059c3e 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -984,11 +984,17 @@ cairo_cff_font_read_fdselect (cairo_cff_font_t *font, unsigned char *p)
type = *p++;
if (type == 0)
{
+ if (p + font->num_glyphs > font->data_end)
+ return CAIRO_INT_STATUS_UNSUPPORTED;
for (i = 0; i < font->num_glyphs; i++)
font->fdselect[i] = *p++;
} else if (type == 3) {
+ if (p + 2 > font->data_end)
+ return CAIRO_INT_STATUS_UNSUPPORTED;
num_ranges = get_unaligned_be16 (p);
p += 2;
+ if (p + (3 * num_ranges) + 2 > font->data_end)
+ return CAIRO_INT_STATUS_UNSUPPORTED;
for (i = 0; i < num_ranges; i++)
{
first = get_unaligned_be16 (p);
--
2.54.0