From 5f53dbc3e917d44e92619f831ba06be7944b5471 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 29 May 2017 16:19:39 +0100
Subject: Bounds check buffers for downloaded glyphs in PCL.

For downloaded fonts, there were several buffer overreads reported by valgrind
when interpreting Intellifont glyph descriptions.

This adds using the (already existing) length field to bounds check when we
interpret the glyph.
---
 pcl/pl/pllfont.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pcl/pl/pllfont.c')

diff --git a/pcl/pl/pllfont.c b/pcl/pl/pllfont.c
index cd10cd134..ba5baba0b 100644
--- a/pcl/pl/pllfont.c
+++ b/pcl/pl/pllfont.c
@@ -342,7 +342,7 @@ pl_load_ufst_lineprinter(gs_memory_t * mem, pl_dict_t * pfontdict,
                 /* NB this shouldn't happen but it does, should be
                    looked at */
                 if (ucode != 0xffff)
-                    code = pl_font_add_glyph(pplfont, ucode, char_data + 2);
+                    code = pl_font_add_glyph(pplfont, ucode, char_data + 2, ccode_plus_header_plus_data);
 
                 if (code < 0)
                     /* shouldn't happen */
-- 
cgit v1.2.1