[Libreoffice-commits] core.git: vcl/source

[Caolán McNamara (via logerrit)]

 vcl/source/font/fontcharmap.cxx |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

New commits:
commit a6eaacf66ccc8f83b075b775f4dfa0aace0c3e3a
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Jul 22 09:13:14 2019 +0100
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Mon Jul 22 13:56:47 2019 +0200

    cid#1209863 Untrusted loop bound
    
    Change-Id: Ie9c3672a065b9df4580559cd927c6b1524edde0e
    Reviewed-on: https://gerrit.libreoffice.org/76099
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index ade991626dd9..78c1c7112d09 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -231,9 +231,20 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, 
CmapResult& rResult )
     else if( (nFormat == 12) && ((nOffset+16) < nLength) )
     {
         nRangeCount = GetUInt( pCmap + nOffset + 12 );
+
+        const int nGroupOffset = nOffset + 16;
+        const int nRemainingLen = nLength - nGroupOffset;
+        const int nMaxPossiblePairs = nRemainingLen / 12;
+        if (nRangeCount > nMaxPossiblePairs)
+        {
+            SAL_WARN("vcl.gdi", "more code pairs requested then space 
available");
+            nRangeCount = nMaxPossiblePairs;
+        }
+
         pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
         pStartGlyphs = new int[ nRangeCount ];
-        const unsigned char* pGroup = pCmap + nOffset + 16;
+
+        const unsigned char* pGroup = pCmap + nGroupOffset;
         sal_UCS4* pCP = pCodePairs;
         for( int i = 0; i < nRangeCount; ++i )
         {
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits