diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-11-14 11:28:45 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-11-14 12:02:50 +0000 |
| commit | 642cf9af84ab6a33b0853753499bab4d96be8f7c (patch) | |
| tree | bfc397db3ee224beb2d453adc3d41f33105a0193 /vcl/source/gdi/impfont.cxx | |
| parent | 71c00f4b5797299b1e0b4f1fa23f18b2b68c89b2 (diff) | |
coverity#1209863 Untrusted loop bound
Change-Id: I3de3601f489db2a4dafb4d80f5ef35d5db38ba76
Diffstat (limited to 'vcl/source/gdi/impfont.cxx')
| -rw-r--r-- | vcl/source/gdi/impfont.cxx | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/vcl/source/gdi/impfont.cxx b/vcl/source/gdi/impfont.cxx index 354edc10efc8..d36005a1096f 100644 --- a/vcl/source/gdi/impfont.cxx +++ b/vcl/source/gdi/impfont.cxx @@ -110,6 +110,8 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) if( (nSubTables <= 0) || (nLength < (24 + 8*nSubTables)) ) return false; + const unsigned char* pEndValidArea = pCmap + nLength; + // find the most interesting subtable in the CMAP rtl_TextEncoding eRecodeFrom = RTL_TEXTENCODING_UNICODE; int nOffset = 0; @@ -198,8 +200,6 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) SAL_WARN("vcl.gdi", "Format 4 char should not be 0xFFFF"); break; } - *(pCP++) = cMinChar; - *(pCP++) = cMaxChar + 1; if( !nRangeOffset ) { // glyphid can be calculated directly pStartGlyphs[i] = (cMinChar + nGlyphDelta) & 0xFFFF; @@ -207,11 +207,20 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) // update the glyphid-array with the glyphs in this range pStartGlyphs[i] = -(int)aGlyphIdArray.size(); const unsigned char* pGlyphIdPtr = pOffsetBase + 2*i + nRangeOffset; + const size_t nRemainingSize = pEndValidArea - pGlyphIdPtr; + const size_t nMaxPossibleRecords = nRemainingSize/2; + const size_t nRequestedRecords = cMaxChar - cMinChar + 1; + if (nRequestedRecords > nMaxPossibleRecords) { // no sane font should trigger this + SAL_WARN("vcl.gdi", "More indexes claimed that space available in font!"); + break; + } for( sal_UCS4 c = cMinChar; c <= cMaxChar; ++c, pGlyphIdPtr+=2 ) { const int nGlyphIndex = Getsal_uInt16( pGlyphIdPtr ) + nGlyphDelta; aGlyphIdArray.push_back( static_cast<sal_uInt16>(nGlyphIndex) ); } } + *(pCP++) = cMinChar; + *(pCP++) = cMaxChar + 1; } nRangeCount = (pCP - pCodePairs) / 2; } |