Bug report

Bug summary
When a TrueType font lacks the lastexpected table (prep), an unbounded number of bytes isread fromptr in order to find it. The search only stops by chance if the bytes beyond the allocated table directory compare (strncmp) equal to or are greater than the sought for table name.

In rare cases (for example if the same memory location previously stored a larger font table directory), the search might find a matching table name and useschecksum,offset andlength of the previously processed font. This leads

• to anexception when offset and length go beyond the current font file size,
• to corrupted output when the current font file satisfies offset and length requirements, or
• to anexception if the value oflength is too large.

In principle, this can also cause a segmentation fault.

I think the library should not trust the font files and depend on the existence of theprep tables.

Code for reproduction
The following snippet involves a TrueType font with only 6 of the 9 required tables lackingprep and therefore exhibits the above error.

importmatplotlib.pyplotaspltfrommatplotlibimportrcParamsrcParams["ps.fonttype"]=42rcParams["mathtext.fontset"]="stix"plt.text(0.5,0.5,"Mass $m$")plt.savefig("broken.eps")

Please note, the above snippet also triggers another issue#20612. After including this fix alone, the resulting EPS is still broken.

Matplotlib version

• Operating system: Debian 11
• Matplotlib version (import matplotlib; print(matplotlib.__version__)): 3.4.2
• Matplotlib backend (print(matplotlib.get_backend())): TkAgg (but actually PS)
• Python version: 3.9.2
• Matplotlib installed with pip in a virtual env