Fix crash when reading TTC font for glyph mapping table selection

* src/sfnt.c (sfnt_read_cmap_table): Seek to the table directory
if DESC->offset is provided.
* src/sfntfont.c (sfntfont_read_cmap): Accurately verify cmap
subtable header size.  (bug#65185)

diff --git a/src/sfnt.c b/src/sfnt.c
index 876db70bcdae2d1229c3671f86de4abba5d961b5..8ccb672c5d5ffe62c667359f792021edc747ee74 100644 (file)
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -1006,7 +1006,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable,
       /* Read the common part of the new subtable.  */
       rc = read (fd, &(*subtables)[i], sizeof (*subtables)[i]);
 
-      if (rc < sizeof (*subtables))
+      if (rc < sizeof (*subtables)[i])
        {
          xfree (cmap);
          xfree (*subtables);

diff --git a/src/sfntfont.c b/src/sfntfont.c
index 6927b1857210273e7416d6aa7acfece12c2feec0..22e7f0e383202e43ac63b8c0608545cf6714bccb 100644 (file)
--- a/src/sfntfont.c
+++ b/src/sfntfont.c
@@ -1341,9 +1341,22 @@ sfntfont_read_cmap (struct sfnt_font_desc *desc,
   if (fd < 0)
     return;
 
+  /* Seek to the start of the font itself within its collection.  */
+
+  if (desc->offset
+      && lseek (fd, desc->offset, SEEK_SET) != desc->offset)
+    {
+      emacs_close (fd);
+      return;
+    }
+
   font = sfnt_read_table_directory (fd);
 
-  if (!font)
+  /* Return if FONT is a TrueType collection: the file pointer should
+     already have been moved to the start of the table directory if
+     so.  */
+
+  if (!font || font == (struct sfnt_offset_subtable *) -1)
     {
       emacs_close (fd);
       return;