From 477e36cfa1faa0037069a22eeeb4fc750733f120 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 20 Jan 2025 09:38:59 +0000
Subject: Bug 708259: Check TTF name size before copying to buffer.

CVE-2025-27833
---
 pdf/pdf_fmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c
index ee05af1..4458b5b 100644
--- a/pdf/pdf_fmap.c
+++ b/pdf/pdf_fmap.c
@@ -539,7 +539,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
                     if (u16(rec + 6) == 6) {
                         int nl = u16(rec + 8);
                         int noffs = u16(rec + 10);
-                        if (nl + noffs + storageOffset > table_len) {
+                        if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
                             break;
                         }
                         memcpy(pname, namet + storageOffset + noffs, nl);
@@ -559,7 +559,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
                         if (u16(rec + 6) == 4) {
                             int nl = u16(rec + 8);
                             int noffs = u16(rec + 10);
-                            if (nl + noffs + storageOffset > table_len) {
+                            if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
                                 break;
                             }
                             memcpy(pname, namet + storageOffset + noffs, nl);