From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Wed, 20 Nov 2024 11:27:52 +0000
Subject: Bug 708131: Fix confusion between bytes and shorts

We were copying data from a string in multiple of shorts, rather than multiple
of bytes, leading to both an read (probably benign, given the memory manager)
and write buffer overflow.

CVE-2025-27835
---
 psi/zbfont.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/psi/zbfont.c b/psi/zbfont.c
index acffb39ef..5850ab54d 100644
--- a/psi/zbfont.c
+++ b/psi/zbfont.c
@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
                     if (l > length)
                         return l;
 
-                    memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
+                    memcpy(unicode_return, v->value.const_bytes, l);
                     return l;
                 }
                 if (r_type(v) == t_integer) {
-- 
cgit v1.2.3