cairo/bugfix-fix-read-memory-access.patch

From e8fef3b8f84afb1a0ae7a9ae81f43c91ac7b3b79 Mon Sep 17 00:00:00 2001
From: sun_hai_10 <sunhai10@huawei.com>
Date: Wed, 14 Jun 2023 15:52:58 +0800
Subject: [PATCH] fix read memory access

---
 src/cairo-cff-subset.c   | 2 ++
 src/cairo-type1-subset.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index fce4195..64fc69e 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1412,6 +1412,8 @@ cairo_cff_font_subset_dict_string(cairo_cff_font_t   *font,
         return CAIRO_STATUS_SUCCESS;
 
     element = _cairo_array_index (&font->strings_index, sid - NUM_STD_STRINGS);
+    if (element == NULL)
+        return CAIRO_STATUS_NO_MEMORY;
     sid = NUM_STD_STRINGS + _cairo_array_num_elements (&font->strings_subset_index);
     status = cff_index_append (&font->strings_subset_index, element->data, element->length);
     if (unlikely (status))
diff --git a/src/cairo-type1-subset.c b/src/cairo-type1-subset.c
index 068b59e..22182af 100644
--- a/src/cairo-type1-subset.c
+++ b/src/cairo-type1-subset.c
@@ -1229,6 +1229,8 @@ cairo_type1_font_subset_for_each_glyph (cairo_type1_font_subset_t *font,
 
 	/* Skip binary data and |- or ND token. */
 	p = skip_token (charstring + charstring_length, dict_end);
+        if (p == NULL)
+            return CAIRO_INT_STATUS_NO_MEMORY;
 	while (p < dict_end && _cairo_isspace(*p))
 	    p++;
 
-- 
2.23.0
fix fuzzers 2023-06-14 16:56:38 +08:00			`From e8fef3b8f84afb1a0ae7a9ae81f43c91ac7b3b79 Mon Sep 17 00:00:00 2001`
			`From: sun_hai_10 <sunhai10@huawei.com>`
			`Date: Wed, 14 Jun 2023 15:52:58 +0800`
			`Subject: [PATCH] fix read memory access`

			`---`
			`src/cairo-cff-subset.c \| 2 ++`
			`src/cairo-type1-subset.c \| 2 ++`
			`2 files changed, 4 insertions(+)`

			`diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c`
			`index fce4195..64fc69e 100644`
			`--- a/src/cairo-cff-subset.c`
			`+++ b/src/cairo-cff-subset.c`
			`@@ -1412,6 +1412,8 @@ cairo_cff_font_subset_dict_string(cairo_cff_font_t *font,`
			`return CAIRO_STATUS_SUCCESS;`

			`element = _cairo_array_index (&font->strings_index, sid - NUM_STD_STRINGS);`
			`+ if (element == NULL)`
			`+ return CAIRO_STATUS_NO_MEMORY;`
			`sid = NUM_STD_STRINGS + _cairo_array_num_elements (&font->strings_subset_index);`
			`status = cff_index_append (&font->strings_subset_index, element->data, element->length);`
			`if (unlikely (status))`
			`diff --git a/src/cairo-type1-subset.c b/src/cairo-type1-subset.c`
			`index 068b59e..22182af 100644`
			`--- a/src/cairo-type1-subset.c`
			`+++ b/src/cairo-type1-subset.c`
			`@@ -1229,6 +1229,8 @@ cairo_type1_font_subset_for_each_glyph (cairo_type1_font_subset_t *font,`

			`/* Skip binary data and \|- or ND token. */`
			`p = skip_token (charstring + charstring_length, dict_end);`
			`+ if (p == NULL)`
			`+ return CAIRO_INT_STATUS_NO_MEMORY;`
			`while (p < dict_end && _cairo_isspace(*p))`
			`p++;`

			`--`
			`2.23.0`