check O_head size

Change-Id: Idf5d30eaed0196cfa9266e35131c538c606a0960
Reviewed-on: https://gerrit.libreoffice.org/49365
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit b10ae2faae6f3c448bbab71585550387e18cc248)
Reviewed-on: https://gerrit.libreoffice.org/49367
Reviewed-by: Michael Stahl <mstahl@redhat.com>
(cherry picked from commit 9c8fb5055e49f31a179477937f7820f34a04ca33)

1 files changed, 6 insertions, 2 deletions

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 2a47232e34d7..52e9cf540fd3 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1542,7 +1542,6 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
     int i;
     sal_uInt32 length, tag;
     sal_uInt32 tdoffset = 0;        /* offset to TableDirectory in a TTC file. For TTF files is 0 */
-    int indexfmt;
 
     sal_uInt32 TTCTag = GetInt32(t->ptr, 0);
 
@@ -1686,8 +1685,13 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
     t->nglyphs = table_size >= 6 ? GetUInt16(table, 4) : 0;
 
     table = getTable(t, O_head);
+    table_size = getTableSize(t, O_head);
+    if (table_size < 52) {
+        CloseTTFont(t);
+        return SF_TTFORMAT;
+    }
     t->unitsPerEm = GetUInt16(table, 18);
-    indexfmt = GetInt16(table, 50);
+    int indexfmt = GetInt16(table, 50);
 
     if( ((indexfmt != 0) && (indexfmt != 1)) || (t->unitsPerEm <= 0) ) {
         CloseTTFont(t);