56 lines
1.9 KiB
Diff
56 lines
1.9 KiB
Diff
Backport of:
|
|
|
|
From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
|
Date: Mon, 13 Jan 2025 09:15:01 +0000
|
|
Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend
|
|
|
|
During serializing a multiple master font for passing to Freetype.
|
|
|
|
Use CVE-2025-27830
|
|
---
|
|
base/write_t1.c | 9 +++++----
|
|
psi/zfapi.c | 9 +++++++--
|
|
2 files changed, 12 insertions(+), 6 deletions(-)
|
|
|
|
--- a/base/write_t1.c
|
|
+++ b/base/write_t1.c
|
|
@@ -454,6 +454,7 @@ write_main_dictionary(gs_fapi_font * a_f
|
|
WRF_wbyte(a_fapi_font->memory, a_output, '\n');
|
|
if (is_MM_font(a_fapi_font)) {
|
|
short x, x2;
|
|
+ unsigned short ux;
|
|
float x1;
|
|
uint i, j, entries;
|
|
char Buffer[255];
|
|
@@ -548,14 +549,14 @@ write_main_dictionary(gs_fapi_font * a_f
|
|
* be because the "get_proc" method below was missing the code to handle PS name
|
|
* objects.
|
|
*/
|
|
- if ((x =
|
|
+ if ((ux =
|
|
a_fapi_font->get_word(a_fapi_font,
|
|
gs_fapi_font_feature_DollarBlend_length,
|
|
0)) > 0) {
|
|
WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
|
|
|
|
if (a_output->m_count)
|
|
- a_output->m_count += x;
|
|
+ a_output->m_count += ux;
|
|
x = a_fapi_font->get_proc(a_fapi_font,
|
|
gs_fapi_font_feature_DollarBlend, 0,
|
|
(char *)a_output->m_pos);
|
|
--- a/psi/zfapi.c
|
|
+++ b/psi/zfapi.c
|
|
@@ -618,6 +618,10 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa
|
|
default:
|
|
break;
|
|
}
|
|
+
|
|
+ if (length > max_ushort) {
|
|
+ return 0;
|
|
+ }
|
|
}
|
|
return length;
|
|
}
|