| Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 1 | From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001 |
| 2 | From: Chris Liddell <chris.liddell@artifex.com> |
| 3 | Date: Thu, 15 Jun 2017 09:05:20 +0100 |
| 4 | Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more |
| 5 | robust |
| 6 | |
| 7 | --- |
| 8 | base/gxttfb.c | 3 ++- |
| 9 | 1 file changed, 2 insertions(+), 1 deletion(-) |
| 10 | |
| 11 | --- end of original header |
| 12 | |
| 13 | CVE: CVE-2017-9727 |
| 14 | |
| 15 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| 16 | |
| 17 | Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| 18 | |
| 19 | diff --git a/base/gxttfb.c b/base/gxttfb.c |
| 20 | index 0e9a444..e1561af 100644 |
| 21 | --- a/base/gxttfb.c |
| 22 | +++ b/base/gxttfb.c |
| 23 | @@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n) |
| 24 | if (!r->error) { |
| 25 | if (r->extra_glyph_index != -1) { |
| 26 | q = r->glyph_data.bits.data + r->pos; |
| 27 | - r->error = (r->glyph_data.bits.size - r->pos < n ? |
| 28 | + r->error = ((r->pos >= r->glyph_data.bits.size || |
| 29 | + r->glyph_data.bits.size - r->pos < n) ? |
| 30 | gs_note_error(gs_error_invalidfont) : 0); |
| 31 | if (r->error == 0) |
| 32 | memcpy(p, q, n); |
| 33 | -- |
| 34 | 1.7.9.5 |
| 35 | |