cid#1209863 Untrusted loop bound

Change-Id: Ie9c3672a065b9df4580559cd927c6b1524edde0e Reviewed-on: https://gerrit.libreoffice.org/76099 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2019-07-22 09:13:14 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2019-07-22 13:56:47 +0200
commit: a6eaacf66ccc8f83b075b775f4dfa0aace0c3e3a (patch)
tree: f76062931e19fbc9712d66f1aa52a955daecc0a6 /vcl
parent: 0ee301231cb3dbd2eb4f4b69bb2a0d18a1e37096 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index ade991626dd9..78c1c7112d09 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -231,9 +231,20 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
     else if( (nFormat == 12) && ((nOffset+16) < nLength) )
     {
         nRangeCount = GetUInt( pCmap + nOffset + 12 );
+
+        const int nGroupOffset = nOffset + 16;
+        const int nRemainingLen = nLength - nGroupOffset;
+        const int nMaxPossiblePairs = nRemainingLen / 12;
+        if (nRangeCount > nMaxPossiblePairs)
+        {
+            SAL_WARN("vcl.gdi", "more code pairs requested then space available");
+            nRangeCount = nMaxPossiblePairs;
+        }
+
         pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
         pStartGlyphs = new int[ nRangeCount ];
-        const unsigned char* pGroup = pCmap + nOffset + 16;
+
+        const unsigned char* pGroup = pCmap + nGroupOffset;
         sal_UCS4* pCP = pCodePairs;
         for( int i = 0; i < nRangeCount; ++i )
         {
author	Caolán McNamara <caolanm@redhat.com>	2019-07-22 09:13:14 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2019-07-22 13:56:47 +0200
commit	a6eaacf66ccc8f83b075b775f4dfa0aace0c3e3a (patch)
tree	f76062931e19fbc9712d66f1aa52a955daecc0a6 /vcl
parent	0ee301231cb3dbd2eb4f4b69bb2a0d18a1e37096 (diff)