From 86e52c2004c5c21e1e5fce3730be7591ab11161b Mon Sep 17 00:00:00 2001 From: Jonathan Kew Date: Sat, 25 Apr 2026 13:26:47 +0000 Subject: [PATCH 27/29] Bug 2029325 - Reject negative sub_num during CFF subsetting. r=gfx-reviewers,lsalzman Differential Revision: https://phabricator.services.mozilla.com/D296344 --- src/cairo-cff-subset.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index a725c726d..ffa2eb6ad 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -1609,7 +1609,7 @@ cairo_cff_parse_charstring (cairo_cff_font_t *font, if (font->is_cid) { fd = font->fdselect[glyph_id]; sub_num = font->type2_stack_top_value + font->fd_local_sub_bias[fd]; - if (sub_num >= (int)_cairo_array_num_elements(&font->fd_local_sub_index[fd])) + if (sub_num < 0 || sub_num >= (int)_cairo_array_num_elements(&font->fd_local_sub_index[fd])) return CAIRO_INT_STATUS_UNSUPPORTED; element = _cairo_array_index (&font->fd_local_sub_index[fd], sub_num); if (! font->fd_local_subs_used[fd][sub_num]) { @@ -1618,7 +1618,7 @@ cairo_cff_parse_charstring (cairo_cff_font_t *font, } } else { sub_num = font->type2_stack_top_value + font->local_sub_bias; - if (sub_num >= (int)_cairo_array_num_elements(&font->local_sub_index)) + if (sub_num < 0 || sub_num >= (int)_cairo_array_num_elements(&font->local_sub_index)) return CAIRO_INT_STATUS_UNSUPPORTED; element = _cairo_array_index (&font->local_sub_index, sub_num); if (! font->local_subs_used[sub_num] || @@ -1644,7 +1644,7 @@ cairo_cff_parse_charstring (cairo_cff_font_t *font, font->type2_seen_first_int = FALSE; sub_num = font->type2_stack_top_value + font->global_sub_bias; - if (sub_num >= (int)_cairo_array_num_elements(&font->global_sub_index)) + if (sub_num < 0 || sub_num >= (int)_cairo_array_num_elements(&font->global_sub_index)) return CAIRO_INT_STATUS_UNSUPPORTED; element = _cairo_array_index (&font->global_sub_index, sub_num); if (! font->global_subs_used[sub_num] || -- 2.53.0