From cd5fd80ebfa91e6546a10bc5e84f588ad8762add Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 2 Jul 2015 14:34:36 +0100
Subject: coverity#1213369 Untrusted value as argument

Change-Id: Ie929aee9c78a89d9ebed15cc59d33d7f2fdb3fad
---
 vcl/source/fontsubset/sft.cxx | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'vcl')

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index ede244c752d3..999a697c0276 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1721,6 +1721,9 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
         for( i = 0; i <= (int)t->nglyphs; ++i )
             t->goffsets[i] = indexfmt ? GetUInt32(table, i << 2, 1) : (sal_uInt32)GetUInt16(table, i << 1, 1) << 1;
     } else if( getTable(t, O_CFF) ) {           /* PS-OpenType */
+        int k = getTableSize(t, O_CFF); /* set a limit here, presumably much lower than the table size, but establishes some sort of physical bound */
+        if( k < (int)t->nglyphs )
+            t->nglyphs = k;
         t->goffsets = static_cast<sal_uInt32 *>(calloc(1+t->nglyphs, sizeof(sal_uInt32)));
         /* TODO: implement to get subsetting */
         assert(t->goffsets != 0);
-- 
cgit