Commit 59ae73fe1658f5cf001f76b983abbdb1f1ff6dc2
2015-10-22T09:26:00
[cid] Better check of `SubrCount' dictionary entry (#46272). * src/cid/cidload.c (cid_face_open): Add more sanity tests for `fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
diff --git a/ChangeLog b/ChangeLog
index 79700aa..f01f149 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-22 Werner Lemberg <wl@gnu.org>
+
+ [cid] Better check of `SubrCount' dictionary entry (#46272).
+
+ * src/cid/cidload.c (cid_face_open): Add more sanity tests for
+ `fd_bytes', `gd_bytes', `sd_bytes', and `num_subrs'.
+
2015-10-21 Werner Lemberg <wl@gnu.org>
[base] Pacify compiler (#46266).
diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index aa125a4..7c39c02 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -750,6 +750,14 @@
/* sanity tests */
+ if ( cid->fd_bytes < 0 || cid->gd_bytes < 0 )
+ {
+ FT_ERROR(( "cid_parse_dict:"
+ " Invalid `FDBytes' or `GDBytes' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
/* allow at most 32bit offsets */
if ( cid->fd_bytes > 4 || cid->gd_bytes > 4 )
{
@@ -769,6 +777,13 @@
CID_FaceDict dict = cid->font_dicts + n;
+ if ( dict->sd_bytes < 0 )
+ {
+ FT_ERROR(( "cid_parse_dict: Invalid `SDBytes' value\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Exit;
+ }
+
if ( dict->sd_bytes > 4 )
{
FT_ERROR(( "cid_parse_dict:"
@@ -785,9 +800,11 @@
goto Exit;
}
- if ( dict->sd_bytes &&
- dict->num_subrs >
- ( binary_length - dict->subrmap_offset ) / dict->sd_bytes )
+ /* `num_subrs' is scanned as a signed integer */
+ if ( (FT_Int)dict->num_subrs < 0 ||
+ ( dict->sd_bytes &&
+ dict->num_subrs > ( binary_length - dict->subrmap_offset ) /
+ (FT_UInt)dict->sd_bytes ) )
{
FT_ERROR(( "cid_parse_dict: Invalid `SubrCount' value\n" ));
error = FT_THROW( Invalid_File_Format );