Fix crash when reading TTC font for glyph mapping table selection
* src/sfnt.c (sfnt_read_cmap_table): Seek to the table directory if DESC->offset is provided. * src/sfntfont.c (sfntfont_read_cmap): Accurately verify cmap subtable header size. (bug#65185)
This commit is contained in:
Po Lu
parent
e39e2fa716
commit
a5c79499e3
2 changed files with 15 additions and 2 deletions
|
|
@ -1006,7 +1006,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable,
|
|||
/* Read the common part of the new subtable. */
|
||||
rc = read (fd, &(*subtables)[i], sizeof (*subtables)[i]);
|
||||
|
||||
if (rc < sizeof (*subtables))
|
||||
if (rc < sizeof (*subtables)[i])
|
||||
{
|
||||
xfree (cmap);
|
||||
xfree (*subtables);
|
||||
|
|
|
|||
|
|
@ -1341,9 +1341,22 @@ sfntfont_read_cmap (struct sfnt_font_desc *desc,
|
|||
if (fd < 0)
|
||||
return;
|
||||
|
||||
/* Seek to the start of the font itself within its collection. */
|
||||
|
||||
if (desc->offset
|
||||
&& lseek (fd, desc->offset, SEEK_SET) != desc->offset)
|
||||
{
|
||||
emacs_close (fd);
|
||||
return;
|
||||
}
|
||||
|
||||
font = sfnt_read_table_directory (fd);
|
||||
|
||||
if (!font)
|
||||
/* Return if FONT is a TrueType collection: the file pointer should
|
||||
already have been moved to the start of the table directory if
|
||||
so. */
|
||||
|
||||
if (!font || font == (struct sfnt_offset_subtable *) -1)
|
||||
{
|
||||
emacs_close (fd);
|
||||
return;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue