Commit 946df2216565925223a9e6af4d708906a6262a7d

Alexei Podtelezhnikov 2021-10-07T22:44:53

* src/cid/cidload.c (cid_face_open): Streamline SubrCount check.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index ed5fb1a..75f3d4c 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -902,11 +902,10 @@
         goto Exit;
       }
 
-      /* `num_subrs' is scanned as a signed integer */
-      if ( (FT_Int)dict->num_subrs < 0                                     ||
-           ( dict->sd_bytes                                              &&
-             dict->num_subrs > ( binary_length - dict->subrmap_offset ) /
-                                 dict->sd_bytes                          ) )
+      /* The first condition prevents the multiplication overflow */
+      if ( dict->num_subrs > UINT_MAX / 4         ||
+           dict->num_subrs * dict->sd_bytes >
+             binary_length - dict->subrmap_offset )
       {
         FT_ERROR(( "cid_face_open: Invalid `SubrCount' value\n" ));
         error = FT_THROW( Invalid_File_Format );