FIX: reject out-of-range charmap index in FT2Font.set_charmap

FT2Font.set_charmap(i) only checked the upper bound (i >= num_charmaps).
A negative i passed the check and was used to index face->charmaps[i],
an out-of-bounds read whose result was then dereferenced by
FT_Set_Charmap, crashing the interpreter (e.g. set_charmap(-1)).

Reject negative indices as well, raising the same RuntimeError already
used for too-large indices. Valid indices in [0, num_charmaps) are
unaffected.

Author: arshsmith

lib/matplotlib/tests/test_ft2font.py

@@ -346,6 +346,14 @@ def enc(name):
         # Though the encoding is different, the glyph should be the same.
         assert unic[u] == armn[m]
 
+    # Out-of-range charmap indices must be rejected rather than indexing out of
+    # bounds. A negative index previously passed the upper-bound-only check and
+    # read face->charmaps[i] out of bounds.
+    with pytest.raises(RuntimeError, match='exceeds the available number'):
+        font.set_charmap(-1)
+    with pytest.raises(RuntimeError, match='exceeds the available number'):
+        font.set_charmap(font.num_charmaps)
+
 
 _expected_sfnt_names = {
     'DejaVu Sans': {

src/ft2font.cpp

@@ -269,7 +269,7 @@ void FT2Font::_set_transform(
 
 void FT2Font::set_charmap(int i)
 {
-    if (i >= face->num_charmaps) {
+    if (i < 0 || i >= face->num_charmaps) {
         throw std::runtime_error("i exceeds the available number of char maps");
     }
     FT_CHECK(FT_Set_Charmap, face, face->charmaps[i]);