vcl/source/font/fontcharmap.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 229aca48befa4bdb52041ce6d0dca16a87b778e4
Author: Jan-Marek Glogowski <glo...@fbihome.de>
AuthorDate: Sat Sep 19 11:53:27 2020 +0200
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Mon Sep 21 12:59:45 2020 +0200
Fix crash from broken font CMAP subtable
ParseCMAP crashes on a broken CMAP subtable of a font used by the
bugdoc of tdf#119074, which returns a negative offset (technically
it's large positive offset turning into a wrong negative integer,
which is still out of bounds of the CMAP overall size - you get
the point). This simply ignores that broken subtable, checking for
other existing ones.
Regressed-by: c7482bc2904401e7d975b5721ec861b8589253f9
Change-Id: I95820fe3bb6bd2fe2e0cf9d4c3536abce31fd497
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103033
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 9bf4c5ac49b73cc2a8c89a87ff87238c061a579d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103046
Reviewed-by: Jan-Marek Glogowski <glo...@fbihome.de>
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index 5e83e19cefb1..027df3ce6df1 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -151,7 +151,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength,
CmapResult& rResult )
int nTmpOffset = GetUInt( p+4 );
- if (nTmpOffset + 2 > nLength)
+ if (nTmpOffset + 2 > nLength || nTmpOffset < 0)
continue;
int nTmpFormat = GetUShort( pCmap + nTmpOffset );
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
