oss-fuzz 42479: Handle badly broken CMaps

In this case, a ToUnicode CMap. The code was trying to be too liberal in carrying on in the face of broken input meaning, in this case, array indeces were ending up negative. In which case, we'll now stop interpreting, and ignore the ToUnicode CMap.
ArtifexSoftware · Dec 17, 2021 · cb2b78c · cb2b78c
1 parent 82d534f
commit cb2b78c
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/pdf/pdf_cmap.c b/pdf/pdf_cmap.c
@@ -174,6 +174,11 @@ static int general_endcidrange_func(gs_memory_t *mem, pdf_ps_ctx_t *s, pdf_cmap
                 preflen = 1;
             }
 
+            if (stobj[i].size - preflen < 0 || stobj[i + 1].size - preflen < 0) {
+                (void)pdf_ps_stack_pop(s, to_pop);
+                return_error(gs_error_syntaxerror);
+            }
+
             /* Find how many bytes we need for the cidbase value */
             /* We always store at least two bytes for the cidbase value */
             for (valuelen = 16; valuelen < 32 && (cidbase >> valuelen) > 0; valuelen += 1)