From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Wed, 24 Jan 2024 18:25:12 +0000 Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related params Specifically, for CIDFont substitution. --- pdf/ghostpdf.h | 1 + pdf/pdf_font.c | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/pdf/ghostpdf.h b/pdf/ghostpdf.h index 3cc1b8c..47c34ec 100644 --- a/pdf/ghostpdf.h +++ b/pdf/ghostpdf.h @@ -117,6 +117,7 @@ typedef enum pdf_warning_e { W_PDF_INVALID_REAL, W_PDF_DEVICEN_USES_ALL, W_PDF_BAD_MEDIABOX, + W_PDF_BAD_CONFIG, W_PDF_MAX_WARNING /* Must be last entry, add new warnings immediately before this and update pdf_warning_strings in ghostpdf.c */ } pdf_warning; diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c index 7fa8a42..c536130 100644 --- a/pdf/pdf_font.c +++ b/pdf/pdf_font.c @@ -166,9 +166,19 @@ pdfi_open_CIDFont_substitute_file(pdf_context * ctx, pdf_dict *font_dict, pdf_di code = 0; memcpy(fontfname, fsprefix, fsprefixlen); - memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); - fontfname[fsprefixlen + defcidfallacklen] = '\0'; - + if (defcidfallacklen + 1 > gp_file_name_sizeof) { + code = gs_note_error(gs_error_rangecheck); + pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDSubstPath parameter too long"); + if (ctx->args.pdfstoponwarning != 0) { + return code;//goto exit; + } + code = 0; + memcpy(fontfname, fsprefix, fsprefixlen); + } + else { + memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); + fontfname[fsprefixlen + defcidfallacklen] = '\0'; + } code = pdfi_open_resource_file(ctx, fontfname, strlen(fontfname), &s); if (code >= 0) { sfseek(s, 0, SEEK_END); -- 2.43.0