[psaux] Full bounds check for OtherSubr 19.
It is possible for OtherSubr 19 to be invoked when decoder->buildchar
is NULL (so the decoder->len_buildchar
is 0), the blend
is non-NULL
with blend->num_designs
set to 2, and the user supplied idx
to be
large (for example 0xFFFFFFFE). Since these are all FT_UInt32
the
existing bounds check overflows in a well defined manner, allowing for
an invalid call to memcpy
.
In addition, it is possible to call OtherSubr 19 with
decoder->len_buildchar
, blend->num_designs
, and idx
all zero
(implying that blend->weight_vector
and decoder->buildchar
are
NULL). This passes the bounds check (it is logically always fine to copy
nothing starting at index zero) but may invoke undefined behavior in
ft_memcpy
if it is backed by memcpy
. Calling memcpy
with either
the src
or dst
NULL is undefined behavior (even if count
is zero).
- src/psaux/psintrp.c (cf2_interpT2CharString): Correctly check that
blend->num_designs
can be copied todecoder->buildchar[idx]
. Also avoid passing NULL toft_memcpy
.