stay within font bounds

Change-Id: Ie8ed610b71cb1b20963827c2be97155d2d8aa22c Reviewed-on: https://gerrit.libreoffice.org/49371 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2018-02-07 16:05:08 +0000
committer: Michael Stahl <Michael.Stahl@cib.de> 2019-08-27 14:12:28 +0200
commit: d920d5185950df038e066af8826caae3fe8ff6bd (patch)
tree: ce3c0f3e984973cd86613d13c18ad1f799bec81e
parent: what matters is the availability of the last element, not the first (diff)
download: core-d920d5185950df038e066af8826caae3fe8ff6bd.tar.gz
core-d920d5185950df038e066af8826caae3fe8ff6bd.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index dfe66eb5d58c..cc4893216d3d 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1590,7 +1590,12 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
     /* parse the tables */
     for (i=0; i<(int)t->ntables; i++) {
         int nIndex;
-        tag = GetUInt32(t->ptr + tdoffset + 12, 16 * i, 1);
+        const sal_uInt32 nStart = tdoffset + 12;
+        const sal_uInt32 nOffset = 16 * i;
+        if (nStart + nOffset + sizeof(sal_uInt32) <=  static_cast<sal_uInt32>(t->fsize))
+            tag = GetUInt32(t->ptr + nStart, nOffset, 1);
+        else
+            tag = static_cast<sal_uInt32>(-1);
         switch( tag ) {
             case T_maxp: nIndex = O_maxp; break;
             case T_glyf: nIndex = O_glyf; break;
author	Caolán McNamara <caolanm@redhat.com>	2018-02-07 16:05:08 +0000
committer	Michael Stahl <Michael.Stahl@cib.de>	2019-08-27 14:12:28 +0200
commit	d920d5185950df038e066af8826caae3fe8ff6bd (patch)
tree	ce3c0f3e984973cd86613d13c18ad1f799bec81e
parent	what matters is the availability of the last element, not the first (diff)
download	core-d920d5185950df038e066af8826caae3fe8ff6bd.tar.gz core-d920d5185950df038e066af8826caae3fe8ff6bd.zip