diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2019-07-22 09:13:14 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2021-05-05 13:16:04 +0200 |
| commit | ec676a5c5bd3e9570746444f4fd6c65cf2e05560 (patch) | |
| tree | 73eacee364fb324d16f3307aad60d2f0ee75831b | |
| parent | rename search+replaced Getsal_uInt16 result back to GetUShort (diff) | |
| download | core-ec676a5c5bd3e9570746444f4fd6c65cf2e05560.tar.gz core-ec676a5c5bd3e9570746444f4fd6c65cf2e05560.zip | |
cid#1209863 Untrusted loop bound
Change-Id: Ie9c3672a065b9df4580559cd927c6b1524edde0e
Reviewed-on: https://gerrit.libreoffice.org/76099
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit a6eaacf66ccc8f83b075b775f4dfa0aace0c3e3a)
| -rw-r--r-- | vcl/source/font/fontcharmap.cxx | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx index 02171f4f7a91..588dda386f46 100644 --- a/vcl/source/font/fontcharmap.cxx +++ b/vcl/source/font/fontcharmap.cxx @@ -230,9 +230,20 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) else if( (nFormat == 12) && ((nOffset+16) < nLength) ) { nRangeCount = GetUInt( pCmap + nOffset + 12 ); + + const int nGroupOffset = nOffset + 16; + const int nRemainingLen = nLength - nGroupOffset; + const int nMaxPossiblePairs = nRemainingLen / 12; + if (nRangeCount > nMaxPossiblePairs) + { + SAL_WARN("vcl.gdi", "more code pairs requested then space available"); + nRangeCount = nMaxPossiblePairs; + } + pCodePairs = new sal_UCS4[ nRangeCount * 2 ]; pStartGlyphs = new int[ nRangeCount ]; - const unsigned char* pGroup = pCmap + nOffset + 16; + + const unsigned char* pGroup = pCmap + nGroupOffset; sal_UCS4* pCP = pCodePairs; for( int i = 0; i < nRangeCount; ++i ) { |