prevent buffer overflow and memory leak in xps-glyphs.c

xps_deobfuscate_font_resource assumes that a font has at least 32 bytes
of data required for deobfuscation. If a broken font has less data,
the buffer overflows.

Also, the data buffer is leaked when fz_new_font_from_buffer throws.

1 files changed, 16 insertions, 7 deletions

diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
index afd9266f..d917b517 100644
--- a/source/xps/xps-glyphs.c
+++ b/source/xps/xps-glyphs.c
@@ -101,6 +101,12 @@ xps_deobfuscate_font_resource(xps_document *doc, xps_part *part)
 	char *p;
 	int i;
 
+	if (part->size < 32)
+	{
+		fz_warn(doc->ctx, "insufficient data for font deobfuscation");
+		return;
+	}
+
 	p = strrchr(part->name, '/');
 	if (!p)
 		p = part->name;
@@ -503,6 +509,9 @@ xps_parse_glyphs(xps_document *doc, const fz_matrix *ctm,
 	font = xps_lookup_font(doc, fakename);
 	if (!font)
 	{
+		fz_buffer *buf = NULL;
+		fz_var(buf);
+
 		fz_try(doc->ctx)
 		{
 			part = xps_read_part(doc, partname);
@@ -522,15 +531,20 @@ xps_parse_glyphs(xps_document *doc, const fz_matrix *ctm,
 
 		fz_try(doc->ctx)
 		{
-			fz_buffer *buf = fz_new_buffer_from_data(doc->ctx, part->data, part->size);
+			buf = fz_new_buffer_from_data(doc->ctx, part->data, part->size);
+			/* part->data is now owned by buf */
+			part->data = NULL;
 			font = fz_new_font_from_buffer(doc->ctx, NULL, buf, subfontid, 1);
+		}
+		fz_always(doc->ctx)
+		{
 			fz_drop_buffer(doc->ctx, buf);
+			xps_free_part(doc, part);
 		}
 		fz_catch(doc->ctx)
 		{
 			fz_rethrow_if(doc->ctx, FZ_ERROR_TRYLATER);
 			fz_warn(doc->ctx, "cannot load font resource '%s'", partname);
-			xps_free_part(doc, part);
 			return;
 		}
 
@@ -541,12 +555,7 @@ xps_parse_glyphs(xps_document *doc, const fz_matrix *ctm,
 		}
 
 		xps_select_best_font_encoding(doc, font);
-
 		xps_insert_font(doc, fakename, font);
-
-		/* NOTE: we already saved part->data in the buffer in the font */
-		fz_free(doc->ctx, part->name);
-		fz_free(doc->ctx, part);
 	}
 
 	/*