ofz: Use-of-uninitialized-value

Change-Id: If10e8d2465ef6de62583f6547e3f68e92002f3f8 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130863 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
author: Caolán McNamara <caolanm@redhat.com> 2022-03-03 20:28:28 +0000
committer: Michael Stahl <michael.stahl@allotropia.de> 2022-03-04 11:28:52 +0100
commit: 75459ccd73426f83d8ce1c5e4ecd2ddb6ec94607 (patch)
tree: 106dcfa07b78b1d4232a40d658b0997c065e5f3e /vcl/source
parent: 6ddfb61759d4ad38898e6467eae5b32a75917bb9 (diff)
1 files changed, 22 insertions, 7 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 3095dc77d62b..a6337321dca2 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1458,31 +1458,46 @@ int GetTTGlyphComponents(AbstractTrueTypeFont *ttf, sal_uInt32 glyphID, std::vec
 
     glyphlist.push_back( glyphID );
 
-    const sal_uInt32 nMaxGlyphSize = glyflength - nOffset;
+    sal_uInt32 nRemainingData = glyflength - nOffset;
 
-    if (nMaxGlyphSize >= 10 && GetInt16(ptr, 0) == -1) {
+    if (nRemainingData >= 10 && GetInt16(ptr, 0) == -1) {
         sal_uInt16 flags, index;
         ptr += 10;
+        nRemainingData -= 10;
         do {
+            if (nRemainingData < 4)
+            {
+                SAL_WARN("vcl.fonts", "short read");
+                break;
+            }
             flags = GetUInt16(ptr, 0);
             index = GetUInt16(ptr, 2);
 
             ptr += 4;
+            nRemainingData -= 4;
             n += GetTTGlyphComponents(ttf, index, glyphlist);
 
+            sal_uInt32 nAdvance;
             if (flags & ARG_1_AND_2_ARE_WORDS) {
-                ptr += 4;
+                nAdvance = 4;
             } else {
-                ptr += 2;
+                nAdvance = 2;
             }
 
             if (flags & WE_HAVE_A_SCALE) {
-                ptr += 2;
+                nAdvance += 2;
             } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
-                ptr += 4;
+                nAdvance += 4;
             } else if (flags & WE_HAVE_A_TWO_BY_TWO) {
-                ptr += 8;
+                nAdvance += 8;
+            }
+            if (nRemainingData < nAdvance)
+            {
+                SAL_WARN("vcl.fonts", "short read");
+                break;
             }
+            ptr += nAdvance;
+            nRemainingData -= nAdvance;
         } while (flags & MORE_COMPONENTS);
     }
author	Caolán McNamara <caolanm@redhat.com>	2022-03-03 20:28:28 +0000
committer	Michael Stahl <michael.stahl@allotropia.de>	2022-03-04 11:28:52 +0100
commit	75459ccd73426f83d8ce1c5e4ecd2ddb6ec94607 (patch)
tree	106dcfa07b78b1d4232a40d658b0997c065e5f3e /vcl/source
parent	6ddfb61759d4ad38898e6467eae5b32a75917bb9 (diff)