diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2022-03-02 09:04:00 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2022-03-02 15:40:54 +0100 |
| commit | fc6d3381da7555c7144b650d239ce1d88ce9026e (patch) | |
| tree | 2a98826d23bb354b32ce3778a7f79491eb64de6d /vcl | |
| parent | a2a2e07996a0e49164663eaec5d79481bf7bb3e0 (diff) | |
ofz: don't read past end of record
Change-Id: I9fced38faf46dce9f4cc2b96e351e7ae945d0ac1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130823
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/source/fontsubset/sft.cxx | 42 |
1 files changed, 39 insertions, 3 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 00c46d3caf1f..e2ae8a450954 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -340,7 +340,7 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI { sal_uInt32 nTableSize; const sal_uInt8* table = ttf->table(O_glyf, nTableSize); - sal_uInt8 flag, n; + sal_uInt8 n; int i, j, z; *pointArray = nullptr; @@ -385,7 +385,7 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI return 0; const sal_uInt8* p = ptr + nOffset; - const sal_uInt32 nBytesRemaining = nMaxGlyphSize - nOffset; + sal_uInt32 nBytesRemaining = nMaxGlyphSize - nOffset; const sal_uInt32 palen = lastPoint+1; //at a minimum its one byte per entry @@ -401,10 +401,22 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI i = 0; while (i <= lastPoint) { - flag = *p++; + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } + sal_uInt8 flag = *p++; + --nBytesRemaining; pa[i++].flags = static_cast<sal_uInt32>(flag); if (flag & 8) { /*- repeat flag */ + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } n = *p++; + --nBytesRemaining; // coverity[tainted_data : FALSE] - i > lastPoint extra checks the n loop bound for (j=0; j<n; j++) { if (i > lastPoint) { /*- if the font is really broken */ @@ -420,14 +432,26 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI z = 0; for (i = 0; i <= lastPoint; i++) { if (pa[i].flags & 0x02) { + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } if (pa[i].flags & 0x10) { z += static_cast<int>(*p++); } else { z -= static_cast<int>(*p++); } + --nBytesRemaining; } else if ( !(pa[i].flags & 0x10)) { + if (nBytesRemaining < 2) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } z += GetInt16(p, 0); p += 2; + nBytesRemaining -= 2; } pa[i].x = static_cast<sal_Int16>(z); } @@ -436,14 +460,26 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI z = 0; for (i = 0; i <= lastPoint; i++) { if (pa[i].flags & 0x04) { + if (!nBytesRemaining) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } if (pa[i].flags & 0x20) { z += *p++; } else { z -= *p++; } + --nBytesRemaining; } else if ( !(pa[i].flags & 0x20)) { + if (nBytesRemaining < 2) + { + SAL_WARN("vcl.fonts", "short read"); + break; + } z += GetInt16(p, 0); p += 2; + nBytesRemaining -= 2; } pa[i].y = static_cast<sal_Int16>(z); } |