Resolves: coverity#706171 Untrusted value as argument

limit nBytesToRead to remaining size of file

also zero last byte of alloced block, seeing as the
block is size+1 and we only read size into it

Change-Id: I2729ec7bb9de20731531f32da864c572fa83ce58

1 files changed, 9 insertions, 4 deletions

diff --git a/vcl/generic/fontmanager/helper.cxx b/vcl/generic/fontmanager/helper.cxx
index 0e4bc89a8c4b..3a313190ea80 100644
--- a/vcl/generic/fontmanager/helper.cxx
+++ b/vcl/generic/fontmanager/helper.cxx
@@ -248,12 +248,12 @@ bool psp::convertPfbToPfa( ::osl::File& rInFile, ::osl::File& rOutFile )
     bool bSuccess = true;
     bool bEof = false;
     unsigned char buffer[256];
-    sal_uInt64 nRead;
-    sal_uInt64 nOrgPos = 0;
-    rInFile.getPos( nOrgPos );
+    sal_uInt64 nSize(0);
+    rInFile.getSize(nSize);
 
     while( bSuccess && ! bEof )
     {
+        sal_uInt64 nRead;
         // read leading bytes
         bEof = ((0 != rInFile.read( buffer, 6, nRead)) || (nRead != 6));
         if( bEof )
@@ -285,7 +285,12 @@ bool psp::convertPfbToPfa( ::osl::File& rInFile, ::osl::File& rOutFile )
         }
         else if( nType == 1 || nType == 2 )
         {
-            boost::scoped_array<unsigned char> pBuffer(new unsigned char[ nBytesToRead+1 ]);
+            sal_uInt64 nOrgPos(0);
+            rInFile.getPos(nOrgPos);
+            nBytesToRead = std::min<sal_uInt64>(nBytesToRead, nSize - nOrgPos);
+
+            boost::scoped_array<unsigned char> pBuffer(new unsigned char[nBytesToRead+1]);
+            pBuffer[nBytesToRead] = 0;
 
             if( ! rInFile.read( pBuffer.get(), nBytesToRead, nRead ) && nRead == nBytesToRead )
             {