Created attachment 124719 [details] [review] patch to fix this issue The argument to FcWeightToOpenType is already properly upper bounded, but the same check should be done in FcWeightFromOpenType, too. This fixes an out of boundary access while iterating over array on malicious font input.
Actually I prefer if we extrapolate larger numbers instead of rejecting them. We already rely on that in the GX variation fonts codepath.
I guess this may be what you prefer right? diff --git a/src/fcweight.c b/src/fcweight.c index 1a3b608..036a518 100644 --- a/src/fcweight.c +++ b/src/fcweight.c @@ -75,6 +75,7 @@ FcWeightFromOpenType (int ot_weight) case 9: ot_weight = 900; break; } } + ot_weight = FC_MIN (ot_weight, map[(sizeof (map) / sizeof (map[0])) - 1].ot); for (i = 1; ot_weight > map[i].ot; i++) ;
*** Bug 96609 has been marked as a duplicate of this bug. ***
fixed in git as comment#2.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.