From a6e6e2ce22aa4a68ab816427ec765a107dd44673 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= Date: Sat, 13 Jun 2026 16:44:33 +0200 Subject: [PATCH 2/3] [cff-subset] Add some missing bounds checks to cairo_cff_font_read_fdselect. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Emilio Cobos Álvarez --- src/cairo-cff-subset.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index 61ca4c459..64a059c3e 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -984,11 +984,17 @@ cairo_cff_font_read_fdselect (cairo_cff_font_t *font, unsigned char *p) type = *p++; if (type == 0) { + if (p + font->num_glyphs > font->data_end) + return CAIRO_INT_STATUS_UNSUPPORTED; for (i = 0; i < font->num_glyphs; i++) font->fdselect[i] = *p++; } else if (type == 3) { + if (p + 2 > font->data_end) + return CAIRO_INT_STATUS_UNSUPPORTED; num_ranges = get_unaligned_be16 (p); p += 2; + if (p + (3 * num_ranges) + 2 > font->data_end) + return CAIRO_INT_STATUS_UNSUPPORTED; for (i = 0; i < num_ranges; i++) { first = get_unaligned_be16 (p); -- 2.54.0