From e9debcd1698ae29f7376b516593738d28266ce74 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Thu, 6 Mar 2025 14:16:38 -0500 Subject: [PATCH] Add some more range checking to the cmap code. --- CHANGES.md | 2 +- ttf.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 1c0c061..b399fdf 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -14,7 +14,7 @@ v1.5.0 - YYYY-MM-DD - Now support opening damaged PDF files (Issue #45) - Updated documentation (Issue #95) - Updated the pdf2txt example to support font encodings. -- Fixed a potential heap overflow in the TrueType font code. +- Fixed potential heap/integer overflow issues in the TrueType cmap code. v1.4.1 - 2025-01-24 diff --git a/ttf.c b/ttf.c index 896e695..8cabc7e 100644 --- a/ttf.c +++ b/ttf.c @@ -1423,7 +1423,7 @@ read_cmap(ttf_t *font) // I - Font group->startGlyphID = read_ulong(font); TTF_DEBUG("read_cmap: [%u] startCharCode=%u, endCharCode=%u, startGlyphID=%u\n", gidx, group->startCharCode, group->endCharCode, group->startGlyphID); - if (group->startCharCode > group->endCharCode) + if (group->startCharCode > group->endCharCode || group->startCharCode >= TTF_FONT_MAX_CHAR || group->endCharCode >= TTF_FONT_MAX_CHAR) { errorf(font, "Bad cmap table segment %u to %u.", group->startCharCode, group->endCharCode); free(groups); @@ -1514,7 +1514,7 @@ read_cmap(ttf_t *font) // I - Font group->glyphID = read_ulong(font); TTF_DEBUG("read_cmap: [%u] startCharCode=%u, endCharCode=%u, glyphID=%u\n", gidx, group->startCharCode, group->endCharCode, group->glyphID); - if (group->startCharCode > group->endCharCode) + if (group->startCharCode > group->endCharCode || group->startCharCode >= TTF_FONT_MAX_CHAR || group->endCharCode >= TTF_FONT_MAX_CHAR) { errorf(font, "Bad cmap table segment %u to %u.", group->startCharCode, group->endCharCode); free(groups);