summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAdrian Johnson <ajohnson@redneon.com>2017-10-13 19:44:45 +1030
committerAdrian Johnson <ajohnson@redneon.com>2017-10-13 19:50:24 +1030
commitbb10bd10138a262759b37281135b5199e334f392 (patch)
tree5bf427433a028f26f1dcdece3d3e469714399945 /src
parent202a9ed64e3d164307defddb41a9f8cf9e9b751b (diff)
truetype: limit font name to 127 chars
Some broken fonts have long strings of garbage in the font name https://bugs.freedesktop.org/show_bug.cgi?id=103249
Diffstat (limited to 'src')
-rw-r--r--src/cairo-truetype-subset.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
index e934689a6..cbf85fa13 100644
--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
@@ -1431,6 +1431,12 @@ cleanup:
return status;
}
+/*
+ * Sanity check on font name length as some broken fonts may return very long
+ * strings of garbage. 127 is maximum length of a PS name.
+ */
+#define MAX_FONT_NAME_LENGTH 127
+
static cairo_status_t
find_name (tt_name_t *name, int name_id, int platform, int encoding, int language, char **str_out)
{
@@ -1449,11 +1455,17 @@ find_name (tt_name_t *name, int name_id, int platform, int encoding, int languag
be16_to_cpu (record->encoding) == encoding &&
(language == -1 || be16_to_cpu (record->language) == language)) {
- str = malloc (be16_to_cpu (record->length) + 1);
+ len = be16_to_cpu (record->length);
+ if (platform == 3 && len > MAX_FONT_NAME_LENGTH*2) /* UTF-16 name */
+ break;
+
+ if (len > MAX_FONT_NAME_LENGTH)
+ break;
+
+ str = malloc (len + 1);
if (str == NULL)
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
- len = be16_to_cpu (record->length);
memcpy (str,
((char*)name) + be16_to_cpu (name->strings_offset) + be16_to_cpu (record->offset),
len);
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-15 20:01:27 +0000