diff options
author | Caolán McNamara <caolanm@redhat.com> | 2022-02-27 12:05:38 +0000 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2022-02-27 15:54:41 +0100 |
commit | da95bafdacf100a7c44b39a8621eea1e2d409693 (patch) | |
tree | d14ea11fc95623516c5d5df3363b9ccff663a322 /vcl | |
parent | 740329373b2fe2c4f7c18ff1921e2f100d49a6bf (diff) |
ofz#45081 check font length
Change-Id: Ib8cea70652ae90403db3546c07d24a517b1ec93e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130621
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'vcl')
-rw-r--r-- | vcl/source/fontsubset/ttcr.cxx | 33 |
1 files changed, 26 insertions, 7 deletions
diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx index 77db531c54dc..f923e344cda3 100644 --- a/vcl/source/fontsubset/ttcr.cxx +++ b/vcl/source/fontsubset/ttcr.cxx @@ -1312,14 +1312,21 @@ static void ProcessTables(TrueTypeCreator *tt) do { GlyphData *gd = static_cast<GlyphData *>(listCurrent(glyphlist)); - if (gd->compflag) { /* re-number all components */ + if (gd->compflag && gd->nbytes > 10) { /* re-number all components */ sal_uInt16 flags, index; sal_uInt8 *ptr = gd->ptr + 10; + size_t nRemaining = gd->nbytes - 10; do { - sal_uInt32 j; + if (nRemaining < 4) + { + SAL_WARN("vcl.fonts", "truncated font"); + break; + } flags = GetUInt16(ptr, 0); index = GetUInt16(ptr, 2); + /* XXX use the sorted array of old to new glyphID mapping and do a binary search */ + sal_uInt32 j; for (j = 0; j < nGlyphs; j++) { if (gid[j] == index) { break; @@ -1330,20 +1337,32 @@ static void ProcessTables(TrueTypeCreator *tt) PutUInt16(static_cast<sal_uInt16>(j), ptr, 2); ptr += 4; + nRemaining -= 4; + sal_uInt32 nAdvance = 0; if (flags & ARG_1_AND_2_ARE_WORDS) { - ptr += 4; + nAdvance += 4; } else { - ptr += 2; + nAdvance += 2; } if (flags & WE_HAVE_A_SCALE) { - ptr += 2; + nAdvance += 2; } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) { - ptr += 4; + nAdvance += 4; } else if (flags & WE_HAVE_A_TWO_BY_TWO) { - ptr += 8; + nAdvance += 8; } + + if (nRemaining < nAdvance) + { + SAL_WARN("vcl.fonts", "truncated font"); + break; + } + + ptr += nAdvance; + nRemaining -= nAdvance; + } while (flags & MORE_COMPONENTS); } |