[poppler] fofi/FoFiType1.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Thu May 24 21:21:24 UTC 2018
fofi/FoFiType1.cc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
New commits:
commit c758fc980834882528eeae82568494e46d189cc5
Author: Albert Astals Cid <aacid at kde.org>
Date: Thu May 24 23:19:16 2018 +0200
FoFiType1::parse: Fix invalid memory access
Make sure there's enough line left before calling strncmp
fixes oss-fuzz/8425
diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc
index dbe95b67..ae9dfc4d 100644
--- a/fofi/FoFiType1.cc
+++ b/fofi/FoFiType1.cc
@@ -226,7 +226,9 @@ void FoFiType1::parse() {
++i) {
// get font name
- if (!name && !strncmp(line, "/FontName", 9)) {
+ if (!name &&
+ (line + 9 <= (char*)file + len) &&
+ !strncmp(line, "/FontName", 9)) {
strncpy(buf, line, 255);
buf[255] = '\0';
if ((p = strchr(buf+9, '/')) &&
@@ -237,9 +239,11 @@ void FoFiType1::parse() {
// get encoding
} else if (!encoding &&
+ (line + 30 <= (char*)file + len) &&
!strncmp(line, "/Encoding StandardEncoding def", 30)) {
encoding = (char **)fofiType1StandardEncoding;
} else if (!encoding &&
+ (line + 19 <= (char*)file + len) &&
!strncmp(line, "/Encoding 256 array", 19)) {
encoding = (char **)gmallocn(256, sizeof(char *));
for (j = 0; j < 256; ++j) {
@@ -331,7 +335,9 @@ void FoFiType1::parse() {
}
//~ check for getinterval/putinterval junk
- } else if (!gotMatrix && !strncmp(line, "/FontMatrix", 11)) {
+ } else if (!gotMatrix &&
+ (line + 11 <= (char*)file + len) &&
+ !strncmp(line, "/FontMatrix", 11)) {
strncpy(buf, line + 11, 255);
buf[255] = '\0';
if ((p = strchr(buf, '['))) {
More information about the poppler
mailing list