Fix out of bounds access in cairo_type1_font_subset_find_segments (!146) · Merge requests · cairo / cairo

Uli Schlachter requested to merge psychon/cairo:type1_find_segments_bounds_check into master Mar 09, 2021

This function parses some raw font data and it trusts the font to be well-formed. This means that a font can just say "this segment is a gigabyte large" and the code will happily jump ahead in memory. Bad things then happen in practice.

Fix this by adding lots of bounds check.

Also, an existing bounds check makes sure we are still before the end of the data, but then happily reads the next six bytes. Fix this by making sure we actually have six bytes of data.

No regression test since the last few times I tried to do this for font issues, I ended up with a large/huge blob of font data. Too large for the test suite.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27969 Signed-off-by: Uli Schlachter psychon@znc.in

CC @aacid FYI

Edited Mar 09, 2021 by Uli Schlachter

Fix out of bounds access in cairo_type1_font_subset_find_segments

Merge request reports