Bug report

Bug summary
When a TrueType font lacks the last expected table (prep), an unbounded number of bytes is read from ptr in order to find it. The search only stops by chance if the bytes beyond the allocated table directory compare (strncmp) equal to or are greater than the sought for table name.

In rare cases (for example if the same memory location previously stored a larger font table directory), the search might find a matching table name and uses checksum, offset and length of the previously processed font. This leads

• to an exception when offset and length go beyond the current font file size,
• to corrupted output when the current font file satisfies offset and length requirements, or
• to an exception if the value oflength is too large.

In principle, this can also cause a segmentation fault.

I think the library should not trust the font files and depend on the existence of the prep tables.

Code for reproduction
The following snippet involves a TrueType font with only 6 of the 9 required tables lacking prep and therefore exhibits the above error.

import matplotlib.pyplot as plt
from matplotlib import rcParams

rcParams["ps.fonttype"] = 42
rcParams["mathtext.fontset"] = "stix"

plt.text(0.5, 0.5, "Mass $m$")
plt.savefig("broken.eps")

Please note, the above snippet also triggers another issue #20612. After including this fix alone, the resulting EPS is still broken.

Matplotlib version

• Operating system: Debian 11
• Matplotlib version (import matplotlib; print(matplotlib.__version__)): 3.4.2
• Matplotlib backend (print(matplotlib.get_backend())): TkAgg (but actually PS)
• Python version: 3.9.2
• Matplotlib installed with pip in a virtual env