From 33d63c77c12b949dca9121dd684978d12ae501c1 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Tue, 15 Sep 2020 16:36:17 +0100
Subject: ofz#25684 keep ParseCMAP within legal area

Change-Id: Iee18b5a9390b79efa67414ea2d229d2816c84e18
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102756
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
---
 vcl/source/font/fontcharmap.cxx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index 7225f385ad56..9ba392935c60 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -150,6 +150,10 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
             continue;
 
         int nTmpOffset = GetUInt( p+4 );
+
+        if (nTmpOffset + 2 > nLength)
+            continue;
+
         int nTmpFormat = GetUShort( pCmap + nTmpOffset );
         if( nTmpFormat == 12 )                  // 32bit code -> glyph map format
             nValue += 3;
-- 
cgit