Bug 699627: Ignore CMap input ranges outside of input codespaces.

Thanks to oss-fuzz for reporting.

2 files changed, 29 insertions, 0 deletions

diff --git a/source/pdf/pdf-cmap.c b/source/pdf/pdf-cmap.c
index 6abacc56..0764e32b 100644
--- a/source/pdf/pdf-cmap.c
+++ b/source/pdf/pdf-cmap.c
@@ -485,6 +485,9 @@ add_range(fz_context *ctx, pdf_cmap *cmap, unsigned int low, unsigned int high,
 {
 	int current;
 	cmap_splay *tree;
+	int i;
+	int inrange = 0;
+	unsigned int k, count;
 
 	if (low > high)
 	{
@@ -492,6 +495,24 @@ add_range(fz_context *ctx, pdf_cmap *cmap, unsigned int low, unsigned int high,
 		return;
 	}
 
+	count = high - low + 1;
+	for (k = 0; k < count; k++) {
+		unsigned int c = low + k;
+
+		inrange = 0;
+		for (i = 0; i < cmap->codespace_len; i++) {
+			if (cmap->codespace[i].low <= c && c <= cmap->codespace[i].high)
+				inrange = 1;
+		}
+		if (!inrange)
+		{
+			fz_warn(ctx, "ignoring CMap range (%u-%u) that is outside of the codespace", low, high);
+			return;
+		}
+	}
+
+
+
 	tree = cmap->tree;
 
 	if (cmap->tlen)
diff --git a/source/pdf/pdf-unicode.c b/source/pdf/pdf-unicode.c
index 9cc378c8..2b61be97 100644
--- a/source/pdf/pdf-unicode.c
+++ b/source/pdf/pdf-unicode.c
@@ -37,6 +37,14 @@ pdf_remap_cmap(fz_context *ctx, pdf_cmap *gid_from_cpt, pdf_cmap *ucs_from_cpt)
 		if (gid_from_cpt->usecmap)
 			ucs_from_gid->usecmap = pdf_remap_cmap(ctx, gid_from_cpt->usecmap, ucs_from_cpt);
 
+		for (i = 0; i < gid_from_cpt->codespace_len; i++)
+		{
+			pdf_add_codespace(ctx, ucs_from_gid,
+					gid_from_cpt->codespace[i].low,
+					gid_from_cpt->codespace[i].high,
+					gid_from_cpt->codespace[i].n);
+		}
+
 		for (i = 0; i < gid_from_cpt->rlen; ++i)
 		{
 			a = gid_from_cpt->ranges[i].low;