diff options
author | Caolán McNamara <caolanm@redhat.com> | 2020-09-15 16:36:17 +0100 |
---|---|---|
committer | Thorsten Behrens <thorsten.behrens@allotropia.de> | 2021-04-09 23:22:07 +0200 |
commit | 19886f271f3e9e2f00b534b80a41f4a810623798 (patch) | |
tree | f612736fbe3ea014383b67297212dec097ec8557 | |
parent | cid#1209863 Untrusted loop bound (diff) | |
download | core-19886f271f3e9e2f00b534b80a41f4a810623798.tar.gz core-19886f271f3e9e2f00b534b80a41f4a810623798.zip |
ofz#25684 keep ParseCMAP within legal area
Change-Id: Iee18b5a9390b79efa67414ea2d229d2816c84e18
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102776
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit a014c82522834c972e247a28d8e5f42998ae3c0e)
ofz#25696 OOM
Change-Id: Ia69e9ce1ca0156e960dddb7e0bf98dfd2be2d7cc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102846
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit d57b14e3394b081adf0888ed8dcb7b86d66c246c)
ofz#25774 keep ParseCMAP within legal area
Change-Id: Ic68fadd3d63631cbccda76e7679d95bb89452d25
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103017
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit f8474367449a1b6b54918d2753e3a36798761839)
Fix crash from broken font CMAP subtable
ParseCMAP crashes on a broken CMAP subtable of a font used by the
bugdoc of tdf#119074, which returns a negative offset (technically
it's large positive offset turning into a wrong negative integer,
which is still out of bounds of the CMAP overall size - you get
the point). This simply ignores that broken subtable, checking for
other existing ones.
Regressed-by: c7482bc2904401e7d975b5721ec861b8589253f9
Change-Id: I95820fe3bb6bd2fe2e0cf9d4c3536abce31fd497
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103033
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 9bf4c5ac49b73cc2a8c89a87ff87238c061a579d)
Missing include
(for std::max, since f8474367449a1b6b54918d2753e3a36798761839 "ofz#25774 keep
ParseCMAP within legal area")
Change-Id: I873c788577e9ec3bd54d9e637d2cf86be7c1f6e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103089
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 8cc52b05744443c64cf5eb62ebe3098cd964c437)
ofz#25855 overflow in nTmpOffset
we already know nLength is >= 24 so just move the calc to the other term
Change-Id: Ic52f1686ccf81e6b13d7eb7e74dbd9cb51c8ea01
ofz#25868 Timeout, encoding conversion only sane in 0..SAL_MAX_UINT16 range
so ignore points outside that range to avoid ludicrous ranges that aren't
possible in the input encoding
Change-Id: Ifb7b9b389d4a31b8820a7da661249223fe1e110c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103261
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
(cherry picked from commit 1e41300a9552f90b3d75d5ffadd31ae42a28d249)
-rw-r--r-- | vcl/source/font/fontcharmap.cxx | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx index a375f98fa14f..f9aa5ded6963 100644 --- a/vcl/source/font/fontcharmap.cxx +++ b/vcl/source/font/fontcharmap.cxx @@ -20,6 +20,7 @@ #include <impfontcharmap.hxx> #include <sal/log.hxx> +#include <algorithm> #include <vector> #include <set> @@ -149,6 +150,10 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) continue; int nTmpOffset = GetUInt( p+4 ); + + if (nTmpOffset > nLength - 2 || nTmpOffset < 0) + continue; + int nTmpFormat = GetUShort( pCmap + nTmpOffset ); if( nTmpFormat == 12 ) // 32bit code -> glyph map format nValue += 3; @@ -178,12 +183,29 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) { int nSegCountX2 = GetUShort( pCmap + nOffset + 6 ); nRangeCount = nSegCountX2/2 - 1; - pCodePairs = new sal_UCS4[ nRangeCount * 2 ]; - pStartGlyphs = new int[ nRangeCount ]; + if (nRangeCount < 0) + { + SAL_WARN("vcl.gdi", "negative RangeCount"); + nRangeCount = 0; + } + const unsigned char* pLimitBase = pCmap + nOffset + 14; const unsigned char* pBeginBase = pLimitBase + nSegCountX2 + 2; const unsigned char* pDeltaBase = pBeginBase + nSegCountX2; const unsigned char* pOffsetBase = pDeltaBase + nSegCountX2; + + const int nOffsetBaseStart = pOffsetBase - pCmap; + const int nRemainingLen = nLength - nOffsetBaseStart; + const int nMaxPossibleRangeOffsets = nRemainingLen / 2; + if (nRangeCount > nMaxPossibleRangeOffsets) + { + SAL_WARN("vcl.gdi", "more range offsets requested then space available"); + nRangeCount = std::max(0, nMaxPossibleRangeOffsets); + } + + pCodePairs = new sal_UCS4[ nRangeCount * 2 ]; + pStartGlyphs = new int[ nRangeCount ]; + sal_UCS4* pCP = pCodePairs; for( int i = 0; i < nRangeCount; ++i ) { @@ -243,7 +265,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) if (nRangeCount > nMaxPossiblePairs) { SAL_WARN("vcl.gdi", "more code pairs requested then space available"); - nRangeCount = nMaxPossiblePairs; + nRangeCount = std::max(0, nMaxPossiblePairs); } pCodePairs = new sal_UCS4[ nRangeCount * 2 ]; @@ -317,7 +339,9 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) { sal_UCS4 cMin = *(pCP++); sal_UCS4 cEnd = *(pCP++); - while( cMin < cEnd ) + // ofz#25868 the conversion only makes sense with + // input codepoints in 0..SAL_MAX_UINT16 range + while (cMin < cEnd && cMin <= SAL_MAX_UINT16) { int j = 0; for(; (cMin < cEnd) && (j < NINSIZE); ++cMin ) |