Commit b1e81ee9 authored by Uli Schlachter's avatar Uli Schlachter
Browse files

Add a bounds check to cairo_cff_font_read_fdselect()

The code in cairo-cff-subset.c parses a binary format without seeming to
bother much with verifying the data. The result is that poppler can be
used to cause an out-of-bounds write in cairo_cff_font_read_fdselect()
via a crafted font file. Fix this by adding the needed length check.

The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.

No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem

Fixes: cairo/cairo#451

Signed-off-by: Uli Schlachter's avatarUli Schlachter <>
parent cb3618f7
......@@ -991,6 +991,8 @@ cairo_cff_font_read_fdselect (cairo_cff_font_t *font, unsigned char *p)
p += 2;
fd = *p++;
last = get_unaligned_be16 (p);
if (last > font->num_glyphs)
for (j = first; j < last; j++)
font->fdselect[j] = fd;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment