diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2020-09-11 15:08:55 +0100 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2020-09-14 15:24:25 +0100 |
| commit | 542e32e6aa630ad909c39304ba4e48870695781e (patch) | |
| tree | c9623f825cd63b94457abc080ac28db623713ad1 | |
| parent | f4aae0832544e76d148db9eb52a24c34a416b56c (diff) | |
| download | ghostpdl-542e32e6aa630ad909c39304ba4e48870695781e.tar.gz | |
oss-fuzz 25480: CFF - cope with "empty" float number.
If a CFF stream encoded a fractional number with no content (i.e. starting op
code, imediately followed by an ending op code), we were still trying to
parse meaning out of the emtpy temporary buffer. So, check we have actually
decoded bytes from the stream, before converting to a floating point value.
| -rw-r--r-- | psi/zfont2.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/psi/zfont2.c b/psi/zfont2.c index db7b81e7d..05cea3881 100644 --- a/psi/zfont2.c +++ b/psi/zfont2.c @@ -1526,12 +1526,18 @@ get_float(ref *fnum, const cff_data_t *data, unsigned p, unsigned pe) int sign = 0; char *eptr, *bptr = buf; - if (buf[0] == '-'){ + if (q > buf && buf[0] == '-'){ sign = -1; bptr = &(buf[1]); } - code = scan_number ((const byte *)bptr, (const byte *)q, sign, fnum, (const byte **)&eptr, 0); + if (q > buf) { + code = scan_number ((const byte *)bptr, (const byte *)q, sign, fnum, (const byte **)&eptr, 0); + } + else { + code = 0; + make_int(fnum, 0); + } if (code < 0) { return(code); } |