diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-06-04 16:17:28 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-06-04 16:42:52 +0100 |
| commit | 891e0f76350890a4dd4331820bde8c118ac06ab0 (patch) | |
| tree | f5627908afd910c69e6608153d34890296777834 /vcl | |
| parent | d0baa04104959f7723aa041862fbc497af1a84b2 (diff) | |
Resolves: fdo#78477 ensure offset + sizeof(value) is in bounds
a) ptr is just added to offset, so move addition into 2nd arg
Change-Id: Ia3e8145c69324f19aeec8b0dd97284ec382d20d7
(cherry picked from commit 57ef375bed4480bbedc799aca274a6bd26745008)
b) sort in order of increasing offset
Change-Id: I0d2c880438f47f4527037d7ffaf77cf142d24751
(cherry picked from commit 95e92889d3fb0e8a85cefdeb07a02e57130a9799)
c) fdo#78477 ensure offset + sizeof(value) is in bounds
check that largest offset + value to read is inside available space
Change-Id: I4feac37bdfbae5061b3b75ddf44bb20fc5904656
(cherry picked from commit c888c211072f23cfb4cc488c641d8d822f930a33)
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/source/fontsubset/sft.cxx | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 8f07bb3355ec..c40d75c86605 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -44,6 +44,7 @@ #ifndef NO_TYPE3 /* include CreateT3FromTTGlyphs() */ #include <rtl/crc.h> #endif +#include <rtl/ustring.hxx> #include <osl/endian.h> #include <algorithm> @@ -2556,12 +2557,22 @@ int GetTTNameRecords(TrueTypeFont *ttf, NameRecord **nr) NameRecord* rec = (NameRecord*)calloc(n, sizeof(NameRecord)); for (i = 0; i < n; i++) { - int nStrOffset = GetUInt16(table + 6, 10 + 12 * i, 1); - rec[i].platformID = GetUInt16(table + 6, 12 * i, 1); - rec[i].encodingID = GetUInt16(table + 6, 2 + 12 * i, 1); - rec[i].languageID = GetUInt16(table + 6, 4 + 12 * i, 1); - rec[i].nameID = GetUInt16(table + 6, 6 + 12 * i, 1); - rec[i].slen = GetUInt16(table + 6, 8 + 12 * i, 1); + int nLargestFixedOffsetPos = 6 + 10 + 12 * i; + int nMinSize = nLargestFixedOffsetPos + sizeof(sal_uInt16); + if (nMinSize > nTableSize) + { + SAL_WARN( "vcl.fonts", "Font " << OUString::createFromAscii(ttf->fname) << " claimed to have " + << n << " name records, but only space for " << i); + n = i; + break; + } + + rec[i].platformID = GetUInt16(table, 6 + 0 + 12 * i, 1); + rec[i].encodingID = GetUInt16(table, 6 + 2 + 12 * i, 1); + rec[i].languageID = GetUInt16(table, 6 + 4 + 12 * i, 1); + rec[i].nameID = GetUInt16(table, 6 + 6 + 12 * i, 1); + rec[i].slen = GetUInt16(table, 6 + 8 + 12 * i, 1); + int nStrOffset = GetUInt16(table, nLargestFixedOffsetPos, 1); if (rec[i].slen) { if( nStrBase+nStrOffset+rec[i].slen >= nTableSize ) { rec[i].sptr = 0; |