From e8cdb549a3b19323668a323676f4b7dc21e8f6e0 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 7 Feb 2018 15:33:36 +0000
Subject: check table size before reading nglyphs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Ib511fdf16006877ca76085137eb9200601b2f8f7
Reviewed-on: https://gerrit.libreoffice.org/49363
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 08dd51bfcaa6b493e134bcc7787cc18c36ad5db1)
Reviewed-on: https://gerrit.libreoffice.org/49436
Reviewed-by: Michael Stahl <mstahl@redhat.com>
---
 vcl/source/fontsubset/sft.cxx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 0e0978b779c0..d97be8071272 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1693,7 +1693,8 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
     }
 
     const sal_uInt8* table = getTable(t, O_maxp);
-    t->nglyphs = GetUInt16(table, 4, 1);
+    sal_uInt32 table_size = getTableSize(t, O_maxp);
+    t->nglyphs = table_size >= 6 ? GetUInt16(table, 4, 1) : 0;
 
     table = getTable(t, O_head);
     t->unitsPerEm = GetUInt16(table, 18, 1);
-- 
cgit