From 75a171a405afd6eac236af93aa9d29a9c3ec9c64 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 7 Feb 2018 21:10:16 +0000
Subject: check ntables offset

Change-Id: Id75f5f4b578fd176c17e5763569f1403260c6594
---
 vcl/source/fontsubset/sft.cxx | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'vcl')

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 474d07ba4266..64beb34b28b1 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1482,8 +1482,11 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
         return SF_TTFORMAT;
     }
 
-    t->ntables = GetUInt16(t->ptr + tdoffset, 4);
-    if (t->ntables >= 128) {
+    if (tdoffset + 4 + sizeof(sal_uInt16) <=  static_cast<sal_uInt32>(t->fsize)) {
+        t->ntables = GetUInt16(t->ptr + tdoffset, 4);
+    }
+
+    if (t->ntables >= 128 || t->ntables == 0) {
         CloseTTFont(t);
         return SF_TTFORMAT;
     }
-- 
cgit