diff options
Diffstat (limited to 'vcl/source')
| -rw-r--r-- | vcl/source/fontsubset/sft.cxx | 2 | ||||
| -rw-r--r-- | vcl/source/fontsubset/ttcr.cxx | 36 | ||||
| -rw-r--r-- | vcl/source/gdi/svmconverter.cxx | 20 | ||||
| -rw-r--r-- | vcl/source/helper/strhelper.cxx | 3 | ||||
| -rw-r--r-- | vcl/source/outdev/hatch.cxx | 7 | ||||
| -rw-r--r-- | vcl/source/outdev/text.cxx | 2 | ||||
| -rw-r--r-- | vcl/source/outdev/textline.cxx | 2 |
7 files changed, 61 insertions, 11 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index bcb1ba251132..1e50634cb645 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -411,7 +411,7 @@ static int GetSimpleTTOutline(TrueTypeFont const *ttf, sal_uInt32 glyphID, Contr const sal_uInt8* p = ptr + nOffset; const sal_uInt32 nBytesRemaining = nTableSize - nOffset; - const sal_uInt16 palen = lastPoint+1; + const sal_uInt32 palen = lastPoint+1; //at a minimum its one byte per entry if (palen > nBytesRemaining || lastPoint > nBytesRemaining-1) diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx index fd6703e5a0b7..0c0c639aacda 100644 --- a/vcl/source/fontsubset/ttcr.cxx +++ b/vcl/source/fontsubset/ttcr.cxx @@ -25,6 +25,7 @@ #include "ttcr.hxx" #include "list.h" +#include <sal/log.hxx> #include <string.h> namespace vcl @@ -1268,7 +1269,7 @@ static void ProcessTables(TrueTypeCreator *tt) /* printf("IDs: %d %d.\n", gd->glyphID, gd->newID); */ - if (gd->nbytes != 0) { + if (gd->nbytes >= 10) { z = GetInt16(gd->ptr, 2); if (z < xMin) xMin = z; @@ -1306,14 +1307,21 @@ static void ProcessTables(TrueTypeCreator *tt) do { GlyphData *gd = static_cast<GlyphData *>(listCurrent(glyphlist)); - if (gd->compflag) { /* re-number all components */ + if (gd->compflag && gd->nbytes > 10) { /* re-number all components */ sal_uInt16 flags, index; sal_uInt8 *ptr = gd->ptr + 10; + size_t nRemaining = gd->nbytes - 10; do { - sal_uInt32 j; + if (nRemaining < 4) + { + SAL_WARN("vcl.fonts", "truncated font"); + break; + } flags = GetUInt16(ptr, 0); index = GetUInt16(ptr, 2); + /* XXX use the sorted array of old to new glyphID mapping and do a binary search */ + sal_uInt32 j; for (j = 0; j < nGlyphs; j++) { if (gid[j] == index) { break; @@ -1324,20 +1332,32 @@ static void ProcessTables(TrueTypeCreator *tt) PutUInt16(static_cast<sal_uInt16>(j), ptr, 2); ptr += 4; + nRemaining -= 4; + sal_uInt32 nAdvance = 0; if (flags & ARG_1_AND_2_ARE_WORDS) { - ptr += 4; + nAdvance += 4; } else { - ptr += 2; + nAdvance += 2; } if (flags & WE_HAVE_A_SCALE) { - ptr += 2; + nAdvance += 2; } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) { - ptr += 4; + nAdvance += 4; } else if (flags & WE_HAVE_A_TWO_BY_TWO) { - ptr += 8; + nAdvance += 8; } + + if (nRemaining < nAdvance) + { + SAL_WARN("vcl.fonts", "truncated font"); + break; + } + + ptr += nAdvance; + nRemaining -= nAdvance; + } while (flags & MORE_COMPONENTS); } diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx index a9773ffbd682..b1bd726969f5 100644 --- a/vcl/source/gdi/svmconverter.cxx +++ b/vcl/source/gdi/svmconverter.cxx @@ -504,6 +504,23 @@ namespace nFollowingActionCount = remainingActions; return std::min(remainingActions, nFollowingActionCount); } + + void ClampRange(const OUString& rStr, sal_Int32& rIndex, sal_Int32& rLength) + { + const sal_Int32 nStrLength = rStr.getLength(); + + if (rIndex < 0 || rIndex > nStrLength) + { + SAL_WARN("vcl.gdi", "inconsistent offset"); + rIndex = nStrLength; + } + + if (rLength < 0 || rLength > nStrLength - rIndex) + { + SAL_WARN("vcl.gdi", "inconsistent len"); + rLength = nStrLength - rIndex; + } + } } #define LF_FACESIZE 32 @@ -927,6 +944,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) OUString aStr(OStringToOUString(aByteStr, eActualCharSet)); if ( nUnicodeCommentActionNumber == i ) ImplReadUnicodeComment( nUnicodeCommentStreamPos, rIStm, aStr ); + ClampRange(aStr, nIndex, nLen); rMtf.AddAction( new MetaTextAction( aPt, aStr, nIndex, nLen ) ); } @@ -1017,6 +1035,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) } if ( nUnicodeCommentActionNumber == i ) ImplReadUnicodeComment( nUnicodeCommentStreamPos, rIStm, aStr ); + ClampRange(aStr, nIndex, nLen); rMtf.AddAction( new MetaTextArrayAction( aPt, aStr, pDXAry.get(), nIndex, nLen ) ); } @@ -1042,6 +1061,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) OUString aStr(OStringToOUString(aByteStr, eActualCharSet)); if ( nUnicodeCommentActionNumber == i ) ImplReadUnicodeComment( nUnicodeCommentStreamPos, rIStm, aStr ); + ClampRange(aStr, nIndex, nLen); rMtf.AddAction( new MetaStretchTextAction( aPt, nWidth, aStr, nIndex, nLen ) ); } diff --git a/vcl/source/helper/strhelper.cxx b/vcl/source/helper/strhelper.cxx index 4d0f1d993cd6..55c36955731f 100644 --- a/vcl/source/helper/strhelper.cxx +++ b/vcl/source/helper/strhelper.cxx @@ -84,7 +84,8 @@ inline void CopyUntil( sal_Unicode*& pTo, const sal_Unicode*& pFrom, sal_Unicode *pTo = *pFrom; pTo++; } - pFrom++; + if( *pFrom ) + pFrom++; } while( *pFrom && *pFrom != cUntil ); // copy the terminating character unless zero or protector if( ! isProtect( *pFrom ) || bIncludeUntil ) diff --git a/vcl/source/outdev/hatch.cxx b/vcl/source/outdev/hatch.cxx index 2059aa364824..f65b28ae5c24 100644 --- a/vcl/source/outdev/hatch.cxx +++ b/vcl/source/outdev/hatch.cxx @@ -373,7 +373,14 @@ void OutputDevice::DrawHatchLine( const tools::Line& rLine, const tools::PolyPol nAdd = 1; if( nAdd ) + { + if (nPCounter == HATCH_MAXPOINTS) + { + SAL_WARN("vcl.gdi", "too many hatch points"); + return; + } pPtBuffer[ nPCounter++ ] = Point( FRound( fX ), FRound( fY ) ); + } } aCurSegment.SetStart( aCurSegment.GetEnd() ); diff --git a/vcl/source/outdev/text.cxx b/vcl/source/outdev/text.cxx index d0b3a80bfc9d..f5079fa41489 100644 --- a/vcl/source/outdev/text.cxx +++ b/vcl/source/outdev/text.cxx @@ -1119,7 +1119,7 @@ void OutputDevice::GetCaretPositions( const OUString& rStr, long* pCaretXArray, for( i = 0; i < 2 * nLen; ++i ) if( pCaretXArray[ i ] >= 0 ) break; - long nXPos = pCaretXArray[ i ]; + long nXPos = (i < 2 * nLen) ? pCaretXArray[i] : -1; for( i = 0; i < 2 * nLen; ++i ) { if( pCaretXArray[ i ] >= 0 ) diff --git a/vcl/source/outdev/textline.cxx b/vcl/source/outdev/textline.cxx index 22e7db6230a1..3c7d913561f1 100644 --- a/vcl/source/outdev/textline.cxx +++ b/vcl/source/outdev/textline.cxx @@ -612,6 +612,8 @@ void OutputDevice::ImplDrawStrikeoutChar( long nBaseX, long nBaseY, int nStrikeStrLen = (nWidth+(nStrikeoutWidth-1)) / nStrikeoutWidth; if( nStrikeStrLen > nMaxStrikeStrLen ) nStrikeStrLen = nMaxStrikeStrLen; + else if (nStrikeStrLen < 0) + nStrikeStrLen = 0; // build the strikeout string for( int i = nTestStrLen; i < nStrikeStrLen; ++i) |