diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2022-03-02 09:04:00 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2022-03-02 16:35:50 +0100 |
| commit | d668c2b94cac5d3878eea51a318b80f3042b05c2 (patch) | |
| tree | 8e7ba86a116c0740f1d063f335c3cd197f7beff3 | |
| parent | 3ac009bfec614ece98313c6444b4c1183ff14954 (diff) | |
ofz: don't read past end of record
Change-Id: I9fced38faf46dce9f4cc2b96e351e7ae945d0ac1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130827
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Tested-by: Jenkins
| -rw-r--r-- | vcl/source/fontsubset/sft.cxx | 42 |
1 files changed, 39 insertions, 3 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index a5894f2f3e24..7ebe3cbe8cc3 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -339,7 +339,7 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI { sal_uInt32 nTableSize; const sal_uInt8* table = ttf->table(O_glyf, nTableSize); - sal_uInt8 flag, n; + sal_uInt8 n; int i, j, z; *pointArray = nullptr; @@ -384,7 +384,7 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI return 0; const sal_uInt8* p = ptr + nOffset; - const sal_uInt32 nBytesRemaining = nMaxGlyphSize - nOffset; + sal_uInt32 nBytesRemaining = nMaxGlyphSize - nOffset; const sal_uInt32 palen = lastPoint+1; //at a minimum its one byte per entry @@ -400,10 +400,22 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI i = 0; while (i <= lastPoint) { - flag = *p++; + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } + sal_uInt8 flag = *p++; + --nBytesRemaining; pa[i++].flags = static_cast<sal_uInt32>(flag); if (flag & 8) { /*- repeat flag */ + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } n = *p++; + --nBytesRemaining; // coverity[tainted_data : FALSE] - i > lastPoint extra checks the n loop bound for (j=0; j<n; j++) { if (i > lastPoint) { /*- if the font is really broken */ @@ -419,14 +431,26 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI z = 0; for (i = 0; i <= lastPoint; i++) { if (pa[i].flags & 0x02) { + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } if (pa[i].flags & 0x10) { z += static_cast<int>(*p++); } else { z -= static_cast<int>(*p++); } + --nBytesRemaining; } else if ( !(pa[i].flags & 0x10)) { + if (nBytesRemaining < 2) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } z += GetInt16(p, 0); p += 2; + nBytesRemaining -= 2; } pa[i].x = static_cast<sal_Int16>(z); } @@ -435,14 +459,26 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI z = 0; for (i = 0; i <= lastPoint; i++) { if (pa[i].flags & 0x04) { + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } if (pa[i].flags & 0x20) { z += *p++; } else { z -= *p++; } + --nBytesRemaining; } else if ( !(pa[i].flags & 0x20)) { + if (nBytesRemaining < 2) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } z += GetInt16(p, 0); p += 2; + nBytesRemaining -= 2; } pa[i].y = static_cast<sal_Int16>(z); } |