summaryrefslogtreecommitdiffstats
path: root/vcl/source/fontsubset/ttcr.cxx
diff options
context:
space:
mode:
Diffstat (limited to 'vcl/source/fontsubset/ttcr.cxx')
-rw-r--r--vcl/source/fontsubset/ttcr.cxx36
1 files changed, 28 insertions, 8 deletions
diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index fd6703e5a0b7..0c0c639aacda 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -25,6 +25,7 @@
#include "ttcr.hxx"
#include "list.h"
+#include <sal/log.hxx>
#include <string.h>
namespace vcl
@@ -1268,7 +1269,7 @@ static void ProcessTables(TrueTypeCreator *tt)
/* printf("IDs: %d %d.\n", gd->glyphID, gd->newID); */
- if (gd->nbytes != 0) {
+ if (gd->nbytes >= 10) {
z = GetInt16(gd->ptr, 2);
if (z < xMin) xMin = z;
@@ -1306,14 +1307,21 @@ static void ProcessTables(TrueTypeCreator *tt)
do {
GlyphData *gd = static_cast<GlyphData *>(listCurrent(glyphlist));
- if (gd->compflag) { /* re-number all components */
+ if (gd->compflag && gd->nbytes > 10) { /* re-number all components */
sal_uInt16 flags, index;
sal_uInt8 *ptr = gd->ptr + 10;
+ size_t nRemaining = gd->nbytes - 10;
do {
- sal_uInt32 j;
+ if (nRemaining < 4)
+ {
+ SAL_WARN("vcl.fonts", "truncated font");
+ break;
+ }
flags = GetUInt16(ptr, 0);
index = GetUInt16(ptr, 2);
+
/* XXX use the sorted array of old to new glyphID mapping and do a binary search */
+ sal_uInt32 j;
for (j = 0; j < nGlyphs; j++) {
if (gid[j] == index) {
break;
@@ -1324,20 +1332,32 @@ static void ProcessTables(TrueTypeCreator *tt)
PutUInt16(static_cast<sal_uInt16>(j), ptr, 2);
ptr += 4;
+ nRemaining -= 4;
+ sal_uInt32 nAdvance = 0;
if (flags & ARG_1_AND_2_ARE_WORDS) {
- ptr += 4;
+ nAdvance += 4;
} else {
- ptr += 2;
+ nAdvance += 2;
}
if (flags & WE_HAVE_A_SCALE) {
- ptr += 2;
+ nAdvance += 2;
} else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
- ptr += 4;
+ nAdvance += 4;
} else if (flags & WE_HAVE_A_TWO_BY_TWO) {
- ptr += 8;
+ nAdvance += 8;
}
+
+ if (nRemaining < nAdvance)
+ {
+ SAL_WARN("vcl.fonts", "truncated font");
+ break;
+ }
+
+ ptr += nAdvance;
+ nRemaining -= nAdvance;
+
} while (flags & MORE_COMPONENTS);
}