diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2023-02-26 16:03:37 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2023-02-26 23:29:17 +0000 |
| commit | 03f58d6af52bab05545833980cca835a3df0949a (patch) | |
| tree | 2c995c79e48059c6da52901ede563cb5adf7f26b /vcl/source/fontsubset/sft.cxx | |
| parent | 5a0ee146834fec1661051d1ad708bc3e96163af9 (diff) | |
cid#1521198 Untrusted loop bound
move sanity check inside CountTTCFonts so it applies
to the fd smuggle in via filename mechanism
Change-Id: Id2fee5801d71720747a8736859681e7c9a324bc3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147740
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'vcl/source/fontsubset/sft.cxx')
| -rw-r--r-- | vcl/source/fontsubset/sft.cxx | 38 |
1 files changed, 31 insertions, 7 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 6644946699a4..549507121962 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -1073,8 +1073,6 @@ static void GetNames(AbstractTrueTypeFont *t) int CountTTCFonts(const char* fname) { - int nFonts = 0; - sal_uInt8 buffer[12]; FILE* fd; #ifdef LINUX int nFD; @@ -1088,13 +1086,39 @@ int CountTTCFonts(const char* fname) else #endif fd = fopen(fname, "rb"); - if( fd ) { - if (fread(buffer, 1, 12, fd) == 12) { - if(GetUInt32(buffer, 0) == T_ttcf ) - nFonts = GetUInt32(buffer, 8); + + if (!fd) + return 0; + + int nFonts = 0; + sal_uInt8 buffer[12]; + if (fread(buffer, 1, 12, fd) == 12) { + if(GetUInt32(buffer, 0) == T_ttcf ) + nFonts = GetUInt32(buffer, 8); + } + + if (nFonts > 0) + { + fseek(fd, 0, SEEK_END); + sal_uInt64 fileSize = ftell(fd); + + //Feel free to calc the exact max possible number of fonts a file + //could contain given its physical size. But this will clamp it to + //a sane starting point + //http://processingjs.nihongoresources.com/the_smallest_font/ + //https://github.com/grzegorzrolek/null-ttf + const int nMaxFontsPossible = fileSize / 528; + if (nFonts > nMaxFontsPossible) + { + SAL_WARN("vcl.fonts", "font file " << fname <<" claims to have " + << nFonts << " fonts, but only " + << nMaxFontsPossible << " are possible"); + nFonts = nMaxFontsPossible; } - fclose(fd); } + + fclose(fd); + return nFonts; } |