From d57b14e3394b081adf0888ed8dcb7b86d66c246c Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 16 Sep 2020 10:16:49 +0100
Subject: ofz#25696 OOM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Ia69e9ce1ca0156e960dddb7e0bf98dfd2be2d7cc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102846
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
---
 vcl/source/font/fontcharmap.cxx | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'vcl/source/font/fontcharmap.cxx')

diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index a8a217ac9a5f..2a4ca017e3e2 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -184,6 +184,12 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
     {
         int nSegCountX2 = GetUShort( pCmap + nOffset + 6 );
         nRangeCount = nSegCountX2/2 - 1;
+        if (nRangeCount < 0)
+        {
+            SAL_WARN("vcl.gdi", "negative RangeCount");
+            nRangeCount = 0;
+        }
+
         pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
         pStartGlyphs = new int[ nRangeCount ];
         const unsigned char* pLimitBase = pCmap + nOffset + 14;
-- 
cgit