ghostscript/0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch

77 lines
4.3 KiB
Diff
Raw Normal View History

diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index 5f82b7f..6819cb7 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -297,22 +297,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context *ctx, pdf_dict *font_dict, pdf_dic
memcpy(fontfname, fsprefix, fsprefixlen);
}
else {
- memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
- fsprefixlen = ctx->args.cidfsubstpath.size;
+ if (ctx->args.cidfsubstpath.size + 1 > gp_file_name_sizeof) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstPath parameter too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname, fsprefix, fsprefixlen);
+ }
+ else {
+ memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size);
+ fsprefixlen = ctx->args.cidfsubstpath.size;
+ }
}
if (ctx->args.cidfsubstfont.data == NULL) {
int len = 0;
- if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) {
- (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+ if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0) {
+ if (len + fsprefixlen + 1 > gp_file_name_sizeof) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSUBSTFONT environment variable too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+ }
+ else {
+ (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen);
+ }
}
else {
memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
}
}
else {
- memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
- defcidfallacklen = ctx->args.cidfsubstfont.size;
+ if (ctx->args.cidfsubstfont.size > gp_file_name_sizeof - 1) {
+ code = gs_note_error(gs_error_rangecheck);
+ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstFont parameter too long");
+ if (ctx->args.pdfstoponwarning != 0) {
+ goto exit;
+ }
+ code = 0;
+ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen);
+ }
+ else {
+ memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size);
+ defcidfallacklen = ctx->args.cidfsubstfont.size;
+ }
}
fontfname[fsprefixlen + defcidfallacklen] = '\0';
diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h
index 6402d8f..d1e0019 100644
--- a/pdf/pdf_warnings.h
+++ b/pdf/pdf_warnings.h
@@ -97,4 +97,5 @@ PARAM(W_PDF_MISMATCH_GENERATION, "The generation number of an indirectly refe
PARAM(W_PDF_BAD_RENDERINGINTENT, "A ri or /RI used an unknown named rendering intent"),
PARAM(W_PDF_BAD_VIEW, "Couldn't read the initial document view"),
PARAM(W_PDF_BAD_WMODE, "A Font or CMap has a WMode which is neither 0 (horizontal) nor 1 (vertical)"),
+PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."),
#undef PARAM