diff options
| author | Jan-Marek Glogowski <glogow@fbihome.de> | 2020-09-19 11:53:27 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2020-09-28 21:14:30 +0200 |
| commit | 38fa146e003577f0bc06818db8cfb25fc9a6a347 (patch) | |
| tree | 35a0a7ba70e7c04a29be4863bc40d60a96bd7c21 | |
| parent | d93051cba341a73fe389e7471fc60d46da3aa1fe (diff) | |
Fix crash from broken font CMAP subtable
ParseCMAP crashes on a broken CMAP subtable of a font used by the
bugdoc of tdf#119074, which returns a negative offset (technically
it's large positive offset turning into a wrong negative integer,
which is still out of bounds of the CMAP overall size - you get
the point). This simply ignores that broken subtable, checking for
other existing ones.
Regressed-by: c7482bc2904401e7d975b5721ec861b8589253f9
Change-Id: I95820fe3bb6bd2fe2e0cf9d4c3536abce31fd497
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103033
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 9bf4c5ac49b73cc2a8c89a87ff87238c061a579d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103046
Reviewed-by: Jan-Marek Glogowski <glogow@fbihome.de>
(cherry picked from commit 229aca48befa4bdb52041ce6d0dca16a87b778e4)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103060
Reviewed-by: Michael Stahl <michael.stahl@cib.de>
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
Tested-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | vcl/source/font/fontcharmap.cxx | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx index 9ba392935c60..8eb8636db287 100644 --- a/vcl/source/font/fontcharmap.cxx +++ b/vcl/source/font/fontcharmap.cxx @@ -151,7 +151,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) int nTmpOffset = GetUInt( p+4 ); - if (nTmpOffset + 2 > nLength) + if (nTmpOffset + 2 > nLength || nTmpOffset < 0) continue; int nTmpFormat = GetUShort( pCmap + nTmpOffset ); |