ofz: record less than 10 bytes is invalid

Change-Id: Ie6b88efbc12b4c7fddb7459e50cba28fcbcf35fe Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131010 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
author: Caolán McNamara <caolanm@redhat.com> 2022-03-05 10:03:43 +0000
committer: Michael Stahl <michael.stahl@allotropia.de> 2022-03-07 12:14:42 +0100
commit: bc8bfb709c015e34a7c9c8f3239b075562da208f (patch)
tree: 4d4beb3bbacc2703049b4a98336c5fb62f653603 /vcl
parent: d47e524aec31398d3af83563c546fef06ecb280c (diff)
1 files changed, 10 insertions, 6 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 8084bb247567..d4c905c068df 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -353,11 +353,18 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI
 
     const sal_uInt8* ptr = table + nGlyphOffset;
     const sal_uInt32 nMaxGlyphSize = nTableSize - nGlyphOffset;
+    constexpr sal_uInt32 nContourOffset = 10;
+    if (nMaxGlyphSize < nContourOffset)
+        return 0;
 
     const sal_Int16 numberOfContours = GetInt16(ptr, GLYF_numberOfContours_offset);
     if( numberOfContours <= 0 )             /*- glyph is not simple */
         return 0;
 
+    const sal_Int32 nMaxContours = (nMaxGlyphSize - nContourOffset)/2;
+    if (numberOfContours > nMaxContours)
+        return 0;
+
     if (metrics) {                                                    /*- GetCompoundTTOutline() calls this function with NULL metrics -*/
         metrics->xMin = GetInt16(ptr, GLYF_xMin_offset);
         metrics->yMin = GetInt16(ptr, GLYF_yMin_offset);
@@ -368,22 +375,19 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI
 
     /* determine the last point and be extra safe about it. But probably this code is not needed */
     sal_uInt16 lastPoint=0;
-    const sal_Int32 nMaxContours = (nMaxGlyphSize - 10)/2;
-    if (numberOfContours > nMaxContours)
-        return 0;
     for (i=0; i<numberOfContours; i++)
     {
-        const sal_uInt16 t = GetUInt16(ptr, 10+i*2);
+        const sal_uInt16 t = GetUInt16(ptr, nContourOffset + i * 2);
         if (t > lastPoint)
             lastPoint = t;
     }
 
-    sal_uInt32 nInstLenOffset = 10 + numberOfContours * 2;
+    sal_uInt32 nInstLenOffset = nContourOffset + numberOfContours * 2;
     if (nInstLenOffset + 2 > nMaxGlyphSize)
         return 0;
     sal_uInt16 instLen = GetUInt16(ptr, nInstLenOffset);
 
-    sal_uInt32 nOffset = 10 + 2 * numberOfContours + 2 + instLen;
+    sal_uInt32 nOffset = nContourOffset + 2 * numberOfContours + 2 + instLen;
     if (nOffset > nMaxGlyphSize)
         return 0;
     const sal_uInt8* p = ptr + nOffset;
author	Caolán McNamara <caolanm@redhat.com>	2022-03-05 10:03:43 +0000
committer	Michael Stahl <michael.stahl@allotropia.de>	2022-03-07 12:14:42 +0100
commit	bc8bfb709c015e34a7c9c8f3239b075562da208f (patch)
tree	4d4beb3bbacc2703049b4a98336c5fb62f653603 /vcl
parent	d47e524aec31398d3af83563c546fef06ecb280c (diff)