From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 20 Jan 2025 09:38:59 +0000
Subject: Bug 708259: Check TTF name size before copying to buffer.
Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a82738e387bbb44c7c4698404776dca53f62b158
Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708259
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27833

CVE-2025-27833
---
 pdf/pdf_fmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c
index 73af9771d5c2..63e61d003745 100644
--- a/pdf/pdf_fmap.c
+++ b/pdf/pdf_fmap.c
@@ -749,7 +749,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
                         int nl = u16(rec + 8);
                         int noffs = u16(rec + 10);
 
-                        if (nl + noffs + storageOffset > table_len) {
+                        if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
                             break;
                         }
                         memcpy(pname, namet + storageOffset + noffs, nl);
@@ -787,7 +787,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4]
                             int nl = u16(rec + 8);
                             int noffs = u16(rec + 10);
 
-                            if (nl + noffs + storageOffset > table_len) {
+                            if (nl + noffs + storageOffset > table_len || nl >= pname_size) {
                                 break;
                             }
                             memcpy(pname, namet + storageOffset + noffs, nl);
-- 
2.49.0