shithub: freetype+ttf2subf

Download patch

ref: 012b4f2d48b602863330633cc0450b87200d778e
parent: 946df2216565925223a9e6af4d708906a6262a7d
author: Alexei Podtelezhnikov <apodtele@gmail.com>
date: Fri Oct 8 18:14:12 EDT 2021

* src/cid/cidload.c (cid_face_open): Streamline CIDCount check.

git/fs: mount .git/fs: mount/attach disallowed
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -776,7 +776,6 @@
     CID_FaceInfo  cid = &face->cid;
 
     FT_ULong  binary_length;
-    FT_ULong  entry_len;
 
 
     cid_init_loader( &loader, face );
@@ -853,8 +852,25 @@
     }
 
     binary_length = face->cid_stream->size - cid->data_offset;
-    entry_len     = cid->fd_bytes + cid->gd_bytes;
 
+    if ( cid->cidmap_offset > binary_length )
+    {
+      FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
+    /* the initial pre-check prevents the multiplication overflow */
+    if ( cid->cid_count > FT_ULONG_MAX / 8                    ||
+         cid->cid_count * ( cid->fd_bytes + cid->gd_bytes ) >
+           binary_length - cid->cidmap_offset                 )
+    {
+      FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
+
     for ( n = 0; n < cid->num_dicts; n++ )
     {
       CID_FaceDict  dict = cid->font_dicts + n;
@@ -902,8 +918,8 @@
         goto Exit;
       }
 
-      /* The first condition prevents the multiplication overflow */
-      if ( dict->num_subrs > UINT_MAX / 4         ||
+      /* the initial pre-check prevents the multiplication overflow */
+      if ( dict->num_subrs > FT_UINT_MAX / 4      ||
            dict->num_subrs * dict->sd_bytes >
              binary_length - dict->subrmap_offset )
       {
@@ -911,22 +927,6 @@
         error = FT_THROW( Invalid_File_Format );
         goto Exit;
       }
-    }
-
-    if ( cid->cidmap_offset > binary_length )
-    {
-      FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" ));
-      error = FT_THROW( Invalid_File_Format );
-      goto Exit;
-    }
-
-    if ( entry_len                                            &&
-         cid->cid_count >
-           ( binary_length - cid->cidmap_offset ) / entry_len )
-    {
-      FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" ));
-      error = FT_THROW( Invalid_File_Format );
-      goto Exit;
     }
 
     /* we can now safely proceed */