[cairo-commit] 2 commits - src/cairo-cff-subset.c

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Sat Dec 31 14:01:10 UTC 2022 

 src/cairo-cff-subset.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

New commits:
commit 001df8ad171bb05112f934d7ff2d1abbedea4472
Merge: c56c3023b c24c65752
Author: Uli Schlachter <psychon at znc.in>
Date:   Sat Dec 31 14:01:08 2022 +0000

    Merge branch 'improve-offset-size-checking' into 'master'
    
    Improve cff index reading code
    
    See merge request cairo/cairo!383

commit c24c657525b4f8ae37bc2d0cf8768da80cca1387
Author: Uli Schlachter <psychon at znc.in>
Date:   Sat Dec 31 14:21:28 2022 +0100

    Improve cff index reading code
    
    In a recent MR [1], Adrian Johnson writes:
    
      For additional safety you could change the unsigned long to size_t
      since long is 32-bits on Win64. The CFF spec says the offset size used
      in decode_index_offset must be between 1 and 4 so you could range
      check that to avoid overflowing the offset.
    
    This commit implements exactly that.
    
    [1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/382#note_1700743
    
    Signed-off-by: Uli Schlachter <psychon at znc.in>

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index dd626e85c..be4766440 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -390,7 +390,7 @@ encode_index_offset (unsigned char *p, int offset_size, unsigned long offset)
     return p + offset_size;
 }
 
-static unsigned long
+static size_t
 decode_index_offset(unsigned char *p, int off_size)
 {
     unsigned long offset = 0;
@@ -413,7 +413,7 @@ cff_index_read (cairo_array_t *index, unsigned char **ptr, unsigned char *end_pt
     unsigned char *data, *p;
     cairo_status_t status;
     int offset_size, count, i;
-    unsigned long start, end = 0;
+    size_t start, end = 0;
 
     p = *ptr;
     if (p + 2 > end_ptr)
@@ -422,7 +422,7 @@ cff_index_read (cairo_array_t *index, unsigned char **ptr, unsigned char *end_pt
     p += 2;
     if (count > 0) {
         offset_size = *p++;
-        if (p + (count + 1)*offset_size > end_ptr)
+        if (p + (count + 1)*offset_size > end_ptr || offset_size > 4)
             return CAIRO_INT_STATUS_UNSUPPORTED;
         data = p + offset_size*(count + 1) - 1;
         start = decode_index_offset (p, offset_size);

More information about the cairo-commit mailing list