From d8e7aa5fec18e0910fe7b03efedffc7c9d6f62b6 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 7 Feb 2018 16:44:43 +0000
Subject: check O_hhea and O_vhea sizes

Change-Id: I82e47732815f0112801c8c3a3e5b0b09ac25610a
Reviewed-on: https://gerrit.libreoffice.org/49439
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Tested-by: Jenkins <ci@libreoffice.org>
---
 vcl/source/fontsubset/sft.cxx | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index d97be8071272..b34037ebdba1 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1548,8 +1548,10 @@ int OpenTTFontBuffer(const void* pBuffer, sal_uInt32 nLen, sal_uInt32 facenum, T
 
 static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
 {
-    if (t->fsize < 4)
+    if (t->fsize < 4) {
+        CloseTTFont(t);
         return SF_TTFORMAT;
+    }
     int i;
     sal_uInt32 length, tag;
     sal_uInt32 tdoffset = 0;        /* offset to TableDirectory in a TTC file. For TTF files is 0 */
@@ -1730,10 +1732,12 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
     }
 
     table = getTable(t, O_hhea);
-    t->numberOfHMetrics = (table != nullptr) ? GetUInt16(table, 34, 1) : 0;
+    table_size = getTableSize(t, O_hhea);
+    t->numberOfHMetrics = (table && table_size >= 36) ? GetUInt16(table, 34, 1) : 0;
 
     table = getTable(t, O_vhea);
-    t->numOfLongVerMetrics = (table != nullptr) ? GetUInt16(table, 34, 1) : 0;
+    table_size = getTableSize(t, O_vhea);
+    t->numOfLongVerMetrics = (table && table_size >= 36) ? GetUInt16(table, 34, 1) : 0;
 
     GetNames(t);
     FindCmap(t);
-- 
cgit