Commit 5bd76524ef786d942b28dc52618aeda3aebfa3d6

Werner Lemberg 2018-03-13T11:11:16

* src/sfnt/ttcmap.c (tt_cmap2_validate): Fix potential numeric overflow.

diff --git a/ChangeLog b/ChangeLog
index 65bc409..d3ead8f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2018-03-13  Werner Lemberg  <wl@gnu.org>
 
+	* src/sfnt/ttcmap.c (tt_cmap2_validate): Fix potential numeric
+	overflow.
+
+2018-03-13  Werner Lemberg  <wl@gnu.org>
+
 	Fix cmap format 2 handling (#53320).
 
 	The patch introduced for #52646 was not correct.
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 58b49c9..dcde869 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -222,10 +222,10 @@
   /***** The following charmap lookup and iteration functions all      *****/
   /***** assume that the value `charcode' fulfills the following.      *****/
   /*****                                                               *****/
-  /*****   - For one byte characters, `charcode' is simply the         *****/
+  /*****   - For one-byte characters, `charcode' is simply the         *****/
   /*****     character code.                                           *****/
   /*****                                                               *****/
-  /*****   - For two byte characters, `charcode' is the 2-byte         *****/
+  /*****   - For two-byte characters, `charcode' is the 2-byte         *****/
   /*****     character code in big endian format.  More precisely:     *****/
   /*****                                                               *****/
   /*****       (charcode >> 8)    is the first byte value              *****/
@@ -252,11 +252,11 @@
   /*   subs        518            SUBHEAD[NSUBS]  sub-headers array        */
   /*   glyph_ids   518+NSUB*8     USHORT[]        glyph ID array           */
   /*                                                                       */
-  /* The `keys' table is used to map charcode high-bytes to sub-headers.   */
+  /* The `keys' table is used to map charcode high bytes to sub-headers.   */
   /* The value of `NSUBS' is the number of sub-headers defined in the      */
   /* table and is computed by finding the maximum of the `keys' table.     */
   /*                                                                       */
-  /* Note that for any n, `keys[n]' is a byte offset within the `subs'     */
+  /* Note that for any `n', `keys[n]' is a byte offset within the `subs'   */
   /* table, i.e., it is the corresponding sub-header index multiplied      */
   /* by 8.                                                                 */
   /*                                                                       */
@@ -269,8 +269,8 @@
   /*   delta       4           SHORT           see below                   */
   /*   offset      6           USHORT          see below                   */
   /*                                                                       */
-  /* A sub-header defines, for each high-byte, the range of valid          */
-  /* low-bytes within the charmap.  Note that the range defined by `first' */
+  /* A sub-header defines, for each high byte, the range of valid          */
+  /* low bytes within the charmap.  Note that the range defined by `first' */
   /* and `count' must be completely included in the interval [0..255]      */
   /* according to the specification.                                       */
   /*                                                                       */
@@ -360,7 +360,7 @@
       /* check range within 0..255 */
       if ( valid->level >= FT_VALIDATE_PARANOID )
       {
-        if ( first_code >= 256 || first_code + code_count > 256 )
+        if ( first_code >= 256 || code_count > 256 - first_code )
           FT_INVALID_DATA;
       }
 
@@ -412,7 +412,7 @@
     {
       FT_UInt   char_lo = (FT_UInt)( char_code & 0xFF );
       FT_UInt   char_hi = (FT_UInt)( char_code >> 8 );
-      FT_Byte*  p       = table + 6;    /* keys table */
+      FT_Byte*  p       = table + 6;    /* keys table       */
       FT_Byte*  subs    = table + 518;  /* subheaders table */
       FT_Byte*  sub;
 
@@ -425,8 +425,8 @@
         sub = subs;  /* jump to first sub-header */
 
         /* check that the sub-header for this byte is 0, which */
-        /* indicates that it is really a valid one-byte value  */
-        /* Otherwise, return 0                                 */
+        /* indicates that it is really a valid one-byte value; */
+        /* otherwise, return 0                                 */
         /*                                                     */
         p += char_lo * 2;
         if ( TT_PEEK_USHORT( p ) != 0 )
@@ -445,6 +445,7 @@
         if ( sub == subs )
           goto Exit;
       }
+
       result = sub;
     }