Commit 467e7822 authored by Uli Schlachter's avatar Uli Schlachter
Browse files

Add a bounds check to cairo_cff_parse_charstring()

The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.

The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.

No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem

Fixes: cairo/cairo#444

Signed-off-by: Uli Schlachter's avatarUli Schlachter <>
parent 979382dd
......@@ -1604,6 +1604,8 @@ cairo_cff_parse_charstring (cairo_cff_font_t *font,
} else {
sub_num = font->type2_stack_top_value + font->local_sub_bias;
if (sub_num >= _cairo_array_num_elements(&font->local_sub_index))
element = _cairo_array_index (&font->local_sub_index, sub_num);
if (! font->local_subs_used[sub_num] ||
(need_width && !font->type2_found_width))
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment