stay within font bounds

Change-Id: Ie8ed610b71cb1b20963827c2be97155d2d8aa22c Reviewed-on: https://gerrit.libreoffice.org/49370 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2018-02-07 16:05:08 +0000
committer: Michael Stahl <mstahl@redhat.com> 2018-02-08 13:25:50 +0100
commit: fa83c595e48d74d686b3ed894d3d4893d82975c9 (patch)
tree: 090c037b995cf7b9bef822af4e6ed3c33272af30
parent: what matters is the availability of the last element, not the first (diff)
download: core-fa83c595e48d74d686b3ed894d3d4893d82975c9.tar.gz
core-fa83c595e48d74d686b3ed894d3d4893d82975c9.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index d69a6132d938..5c7929b76615 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1560,7 +1560,12 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
     /* parse the tables */
     for (i=0; i<(int)t->ntables; i++) {
         int nIndex;
-        tag = GetUInt32(t->ptr + tdoffset + 12, 16 * i);
+        const sal_uInt32 nStart = tdoffset + 12;
+        const sal_uInt32 nOffset = 16 * i;
+        if (nStart + nOffset + sizeof(sal_uInt32) <=  static_cast<sal_uInt32>(t->fsize))
+            tag = GetUInt32(t->ptr + nStart, nOffset);
+        else
+            tag = static_cast<sal_uInt32>(-1);
         switch( tag ) {
             case T_maxp: nIndex = O_maxp; break;
             case T_glyf: nIndex = O_glyf; break;
author	Caolán McNamara <caolanm@redhat.com>	2018-02-07 16:05:08 +0000
committer	Michael Stahl <mstahl@redhat.com>	2018-02-08 13:25:50 +0100
commit	fa83c595e48d74d686b3ed894d3d4893d82975c9 (patch)
tree	090c037b995cf7b9bef822af4e6ed3c33272af30
parent	what matters is the availability of the last element, not the first (diff)
download	core-fa83c595e48d74d686b3ed894d3d4893d82975c9.tar.gz core-fa83c595e48d74d686b3ed894d3d4893d82975c9.zip