From 5a89092d5fe43638832ea8f86df34f81869337d9 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Fri, 17 Oct 2014 15:59:56 +0100
Subject: coverity#1222238 Untrusted loop bound

Change-Id: I1a4dec8727d0a27f7fd0396fd22d955f61daaee4
---
 vcl/source/fontsubset/sft.cxx | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'vcl')

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index f0d1007d6477..cc13d172e3a8 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -2045,6 +2045,14 @@ static GlyphOffsets *GlyphOffsetsNew(sal_uInt8 *sfntP, sal_uInt32 sfntLen)
     sal_uInt32 locaLen = 0;
     sal_Int16 indexToLocFormat = 0;
 
+    sal_uInt32 nMaxPossibleTables = sfntLen / (3*sizeof(sal_uInt32)); /*the three GetUInt32 calls*/
+    if (numTables > nMaxPossibleTables)
+    {
+        SAL_WARN( "vcl.fonts", "GlyphOffsetsNew claimed to have "
+            << numTables  << " tables, but that's impossibly large");
+        numTables = nMaxPossibleTables;
+    }
+
     for (i = 0; i < numTables; i++) {
         sal_uInt32 nLargestFixedOffsetPos = 12 + 16 * i + 12;
         sal_uInt32 nMinSize = nLargestFixedOffsetPos + sizeof(sal_uInt32);
-- 
cgit