Cherry-pick https://gitlab.freedesktop.org/cairo/cairo/-/commit/891468f191cccc80b8e491318e0646a7fffa22bf draft
authorJonathan Kew <jkew@mozilla.com>
Fri, 05 Feb 2021 15:13:01 +0000
changeset 3667298 1081f7a6419d2dbc2a088898c606738e21e3f12f
parent 3667297 315dae85fa9ee3a70c60e61e2e179e2f69a8977e
child 3667299 3e7630189a920ef9bbf8814a7144145742203514
push id683063
push userjkew@mozilla.com
push dateMon, 19 Apr 2021 13:15:26 +0000
treeherdertry@919daaf50d14 [default view] [failures only]
milestone89.0a1
Cherry-pick https://gitlab.freedesktop.org/cairo/cairo/-/commit/891468f191cccc80b8e491318e0646a7fffa22bf Add a bounds check to cairo_cff_font_read_fdselect()
gfx/cairo/cairo/src/cairo-cff-subset.c
--- a/gfx/cairo/cairo/src/cairo-cff-subset.c
+++ b/gfx/cairo/cairo/src/cairo-cff-subset.c
@@ -986,16 +986,18 @@ cairo_cff_font_read_fdselect (cairo_cff_
         num_ranges = get_unaligned_be16 (p);
         p += 2;
         for  (i = 0; i < num_ranges; i++)
         {
             first = get_unaligned_be16 (p);
             p += 2;
             fd = *p++;
             last = get_unaligned_be16 (p);
+            if (last > font->num_glyphs)
+                return CAIRO_INT_STATUS_UNSUPPORTED;
             for (j = first; j < last; j++)
                 font->fdselect[j] = fd;
         }
     } else {
         return CAIRO_INT_STATUS_UNSUPPORTED;
     }
 
     return CAIRO_STATUS_SUCCESS;