From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 13 Jan 2025 09:15:01 +0000
Subject: [PATCH] Bug 708241: Fix potential Buffer overflow with DollarBlend

During serializing a multiple master font for passing to Freetype.

Use CVE-2025-27830

Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f]
CVE: CVE-2025-27830
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 base/write_t1.c | 7 ++++---
 psi/zfapi.c     | 9 +++++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/base/write_t1.c b/base/write_t1.c
index 52902be..d6b2454 100644
--- a/base/write_t1.c
+++ b/base/write_t1.c
@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
     WRF_wbyte(a_fapi_font->memory, a_output, '\n');
     if (is_MM_font(a_fapi_font)) {
         short x, x2;
+        unsigned short ux;
         float x1;
         uint i, j, entries;
         char Buffer[255];
@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
          */
         code = a_fapi_font->get_word(a_fapi_font,
                                    gs_fapi_font_feature_DollarBlend_length,
-                                   0, (unsigned short *)&x);
+                                   0, &ux);
         if (code < 0)
             return code;
 
-        if (x > 0) {
+        if (ux > 0) {
             int len;
             WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
 
             if (a_output->m_count)
-                a_output->m_count += x;
+                a_output->m_count += ux;
             len = a_fapi_font->get_proc(a_fapi_font,
                                       gs_fapi_font_feature_DollarBlend, 0,
                                       (char *)a_output->m_pos);
diff --git a/psi/zfapi.c b/psi/zfapi.c
index 0b3ab1c..1ffef47 100644
--- a/psi/zfapi.c
+++ b/psi/zfapi.c
@@ -682,7 +682,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
                 }
                 for (i = 0; i < r_size(DBlend); i++) {
                     if (array_get(ff->memory, DBlend, i, &Element) < 0) {
-                        *ret = 0;
+                        length = 0;
                         break;
                     }
                     switch (r_btype(&Element)) {
@@ -709,7 +709,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
                         default:
                             break;
                     }
-                }
+
+		    if (length > max_ushort) {
+			length = 0;
+			break;
+                    }
+		}
                 *ret = length;
                 break;
             }
-- 
2.25.1