check ntables offset

Change-Id: Id75f5f4b578fd176c17e5763569f1403260c6594
author: Caolán McNamara <caolanm@redhat.com> 2018-02-07 21:10:16 +0000
committer: Caolán McNamara <caolanm@redhat.com> 2018-02-09 10:15:56 +0000
commit: 75a171a405afd6eac236af93aa9d29a9c3ec9c64 (patch)
tree: 7c2c04c0e0228445c24f730bf87a2399647ff398
parent: check tableoffset against size (diff)
download: core-75a171a405afd6eac236af93aa9d29a9c3ec9c64.tar.gz
core-75a171a405afd6eac236af93aa9d29a9c3ec9c64.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 474d07ba4266..64beb34b28b1 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1482,8 +1482,11 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
         return SF_TTFORMAT;
     }
 
-    t->ntables = GetUInt16(t->ptr + tdoffset, 4);
-    if (t->ntables >= 128) {
+    if (tdoffset + 4 + sizeof(sal_uInt16) <=  static_cast<sal_uInt32>(t->fsize)) {
+        t->ntables = GetUInt16(t->ptr + tdoffset, 4);
+    }
+
+    if (t->ntables >= 128 || t->ntables == 0) {
         CloseTTFont(t);
         return SF_TTFORMAT;
     }
author	Caolán McNamara <caolanm@redhat.com>	2018-02-07 21:10:16 +0000
committer	Caolán McNamara <caolanm@redhat.com>	2018-02-09 10:15:56 +0000
commit	75a171a405afd6eac236af93aa9d29a9c3ec9c64 (patch)
tree	7c2c04c0e0228445c24f730bf87a2399647ff398
parent	check tableoffset against size (diff)
download	core-75a171a405afd6eac236af93aa9d29a9c3ec9c64.tar.gz core-75a171a405afd6eac236af93aa9d29a9c3ec9c64.zip