From 4e515dd14a67b9069610e4a10baee300fb08421a Mon Sep 17 00:00:00 2001
From: sun_hai_10 <sunhai10@huawei.com>
Date: Wed, 14 Jun 2023 16:44:30 +0800
Subject: [PATCH] fix heap buffer overflow in cairo_cff_parse_charstring

---
 src/cairo-cff-subset.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 64fc69e..c94a4d0 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1789,7 +1789,13 @@ cairo_cff_font_subset_charstrings_and_subroutines (cairo_cff_font_t  *font)
 	} else {
 	    glyph = font->scaled_font_subset->glyphs[i];
 	}
-        element = _cairo_array_index (&font->charstrings_index, glyph);
+
+        cairo_array_t *array = &font->charstrings_index;
+        element = _cairo_array_index (array, glyph);
+        if (element == NULL)
+            return CAIRO_INT_STATUS_NO_MEMORY;
+        if (array->element_size < element->length)
+            return CAIRO_INT_STATUS_UNSUPPORTED;
         status = cff_index_append (&font->charstrings_subset_index,
                                    element->data,
                                    element->length);
-- 
2.23.0