Avoid out of bounds crash when reading fonts CFGAS_FontMgr::RegisterFace() has a GetNames() helper function that reads font tables. If a font table contains invalid lengths or offsets, the code will attempt to do an out of bounds read and crash. Check for this condition and skip the bad font data to avoid this crash. Bug: 389967361 Change-Id: Ic499687158f2f86f4eb542ff6478a1761e5a608d Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/127890 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: Thomas Sepez <tsepez@google.com>

commit: e99f1e8d5d482831de2750b77501596c65374d6a [log] [tgz]
author: Lei Zhang <thestig@chromium.org> Tue Jan 14 16:56:54 2025 -0800
committer: Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Jan 14 16:56:54 2025 -0800
tree: b0e9de768a1de2395fc92160f864f269abe9c9aa
parent: 594caeb0eab95e3370e739f6eea80452caa0f864 [diff]
diff --git a/xfa/fgas/font/cfgas_fontmgr.cpp b/xfa/fgas/font/cfgas_fontmgr.cpp
index 48ec7d0..507e09c 100644
--- a/xfa/fgas/font/cfgas_fontmgr.cpp
+++ b/xfa/fgas/font/cfgas_fontmgr.cpp

@@ -449,6 +449,11 @@
       continue;
     }
 
+    // Avoid out of bounds crashes if the length and/or offset are wrong.
+    if (static_cast<size_t>(nNameLength) + nNameOffset >= str.size()) {
+      continue;
+    }
+
     WideString wsFamily;
     for (uint16_t j = 0; j < nNameLength; ++j) {
       wchar_t wcTemp = str[nNameOffset + j];
commit	e99f1e8d5d482831de2750b77501596c65374d6a	[log] [tgz]
author	Lei Zhang <thestig@chromium.org>	Tue Jan 14 16:56:54 2025 -0800
committer	Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>	Tue Jan 14 16:56:54 2025 -0800
tree	b0e9de768a1de2395fc92160f864f269abe9c9aa
parent	594caeb0eab95e3370e739f6eea80452caa0f864 [diff]