diff --git a/CHANGES.md b/CHANGES.md index 1a153ac..d429f78 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -2,6 +2,13 @@ Changes in PDFio ================ +v1.3.1 (August DD, 2024) +------------------------ + +- CVE 2024-42358: Updated TrueType font reader to avoid large memory + allocations. + + v1.3.0 (June 28, 2024) ---------------------- diff --git a/configure b/configure index 6b42620..2c20c91 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for pdfio 1.3.0. +# Generated by GNU Autoconf 2.71 for pdfio 1.3.1. # # Report bugs to . # @@ -610,8 +610,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='pdfio' PACKAGE_TARNAME='pdfio' -PACKAGE_VERSION='1.3.0' -PACKAGE_STRING='pdfio 1.3.0' +PACKAGE_VERSION='1.3.1' +PACKAGE_STRING='pdfio 1.3.1' PACKAGE_BUGREPORT='https://github.com/michaelrsweet/pdfio/issues' PACKAGE_URL='https://www.msweet.org/pdfio' @@ -1293,7 +1293,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pdfio 1.3.0 to adapt to many kinds of systems. +\`configure' configures pdfio 1.3.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1359,7 +1359,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pdfio 1.3.0:";; + short | recursive ) echo "Configuration of pdfio 1.3.1:";; esac cat <<\_ACEOF @@ -1456,7 +1456,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pdfio configure 1.3.0 +pdfio configure 1.3.1 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -1612,7 +1612,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pdfio $as_me 1.3.0, which was +It was created by pdfio $as_me 1.3.1, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -2368,9 +2368,9 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu -PDFIO_VERSION="1.3.0" -PDFIO_VERSION_MAJOR="`echo 1.3.0 | awk -F. '{print $1}'`" -PDFIO_VERSION_MINOR="`echo 1.3.0 | awk -F. '{printf("%d\n",$2);}'`" +PDFIO_VERSION="1.3.1" +PDFIO_VERSION_MAJOR="`echo 1.3.1 | awk -F. '{print $1}'`" +PDFIO_VERSION_MINOR="`echo 1.3.1 | awk -F. '{printf("%d\n",$2);}'`" @@ -4935,7 +4935,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pdfio $as_me 1.3.0, which was +This file was extended by pdfio $as_me 1.3.1, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4991,7 +4991,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -pdfio config.status 1.3.0 +pdfio config.status 1.3.1 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 654257b..e8944e7 100644 --- a/configure.ac +++ b/configure.ac @@ -21,7 +21,7 @@ AC_PREREQ([2.70]) dnl Package name and version... -AC_INIT([pdfio], [1.3.0], [https://github.com/michaelrsweet/pdfio/issues], [pdfio], [https://www.msweet.org/pdfio]) +AC_INIT([pdfio], [1.3.1], [https://github.com/michaelrsweet/pdfio/issues], [pdfio], [https://www.msweet.org/pdfio]) PDFIO_VERSION="AC_PACKAGE_VERSION" PDFIO_VERSION_MAJOR="`echo AC_PACKAGE_VERSION | awk -F. '{print $1}'`" diff --git a/pdfio.h b/pdfio.h index f295fa1..f905c82 100644 --- a/pdfio.h +++ b/pdfio.h @@ -23,7 +23,7 @@ extern "C" { // Version number... // -# define PDFIO_VERSION "1.3.0" +# define PDFIO_VERSION "1.3.1" // diff --git a/ttf.c b/ttf.c index 9607fd0..9760479 100644 --- a/ttf.c +++ b/ttf.c @@ -3,7 +3,7 @@ // // https://github.com/michaelrsweet/ttf // -// Copyright © 2018-2023 by Michael R Sweet. +// Copyright © 2018-2024 by Michael R Sweet. // // Licensed under Apache License v2.0. See the file "LICENSE" for more // information. @@ -99,7 +99,7 @@ typedef __int64 ssize_t; // POSIX type not present on Windows... // #define TTF_FONT_MAX_CHAR 262144 // Maximum number of character values - +#define TTF_FONT_MAX_GROUPS 65536 // Maximum number of sub-groups // // TTF/OFF tag constants... @@ -1285,7 +1285,14 @@ read_cmap(ttf_t *font) // I - Font // segCount --; // Last segment is not used (sigh) font->num_cmap = segments[segCount - 1].endCode + 1; - font->cmap = cmapptr = (int *)malloc(font->num_cmap * sizeof(int)); + + if (font->num_cmap > TTF_FONT_MAX_CHAR) + { + errorf(font, "Invalid cmap table with %u characters.", (unsigned)font->num_cmap); + return (false); + } + + font->cmap = cmapptr = (int *)malloc(font->num_cmap * sizeof(int)); if (!font->cmap) { @@ -1356,6 +1363,12 @@ read_cmap(ttf_t *font) // I - Font TTF_DEBUG("read_cmap: nGroups=%u\n", nGroups); + if (nGroups > TTF_FONT_MAX_GROUPS) + { + errorf(font, "Invalid cmap table with %u groups.", nGroups); + return (false); + } + if ((groups = (_ttf_off_cmap12_t *)calloc(nGroups, sizeof(_ttf_off_cmap12_t))) == NULL) { errorf(font, "Unable to allocate memory for cmap."); @@ -1376,6 +1389,13 @@ read_cmap(ttf_t *font) // I - Font // Based on the end code of the segent table, allocate space for the // uncompressed cmap table... TTF_DEBUG("read_cmap: num_cmap=%u\n", (unsigned)font->num_cmap); + + if (font->num_cmap > TTF_FONT_MAX_CHAR) + { + errorf(font, "Invalid cmap table with %u characters.", (unsigned)font->num_cmap); + return (false); + } + font->cmap = cmapptr = (int *)malloc(font->num_cmap * sizeof(int)); if (!font->cmap) @@ -1426,6 +1446,12 @@ read_cmap(ttf_t *font) // I - Font TTF_DEBUG("read_cmap: nGroups=%u\n", nGroups); + if (nGroups > TTF_FONT_MAX_GROUPS) + { + errorf(font, "Invalid cmap table with %u groups.", nGroups); + return (false); + } + if ((groups = (_ttf_off_cmap13_t *)calloc(nGroups, sizeof(_ttf_off_cmap13_t))) == NULL) { errorf(font, "Unable to allocate memory for cmap."); @@ -1446,6 +1472,13 @@ read_cmap(ttf_t *font) // I - Font // Based on the end code of the segent table, allocate space for the // uncompressed cmap table... TTF_DEBUG("read_cmap: num_cmap=%u\n", (unsigned)font->num_cmap); + + if (font->num_cmap > TTF_FONT_MAX_CHAR) + { + errorf(font, "Invalid cmap table with %u characters.", (unsigned)font->num_cmap); + return (false); + } + font->cmap = cmapptr = (int *)malloc(font->num_cmap * sizeof(int)); if (!font->cmap)