Fix crash from broken font CMAP subtable

ParseCMAP crashes on a broken CMAP subtable of a font used by the bugdoc of tdf#119074, which returns a negative offset (technically it's large positive offset turning into a wrong negative integer, which is still out of bounds of the CMAP overall size - you get the point). This simply ignores that broken subtable, checking for other existing ones. Regressed-by: c7482bc2904401e7d975b5721ec861b8589253f9 Change-Id: I95820fe3bb6bd2fe2e0cf9d4c3536abce31fd497 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103033 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
author: Jan-Marek Glogowski <glogow@fbihome.de> 2020-09-19 11:53:27 +0200
committer: Caolán McNamara <caolanm@redhat.com> 2020-09-19 13:26:36 +0200
commit: 9bf4c5ac49b73cc2a8c89a87ff87238c061a579d (patch)
tree: 9ccf122fd7874a7aaad62e8affdc9ac2b4a794c9 /vcl
parent: d7e5d79db4c447cab87a44c3f80e503463e5dec6 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index c66ddea45ea7..f7db9fd65ead 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -152,7 +152,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
 
         int nTmpOffset = GetUInt( p+4 );
 
-        if (nTmpOffset + 2 > nLength)
+        if (nTmpOffset + 2 > nLength || nTmpOffset < 0)
             continue;
 
         int nTmpFormat = GetUShort( pCmap + nTmpOffset );
author	Jan-Marek Glogowski <glogow@fbihome.de>	2020-09-19 11:53:27 +0200
committer	Caolán McNamara <caolanm@redhat.com>	2020-09-19 13:26:36 +0200
commit	9bf4c5ac49b73cc2a8c89a87ff87238c061a579d (patch)
tree	9ccf122fd7874a7aaad62e8affdc9ac2b4a794c9 /vcl
parent	d7e5d79db4c447cab87a44c3f80e503463e5dec6 (diff)