[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - vcl/source

Tue, 01 Mar 2022 09:10:03 -0800 

 vcl/source/fontsubset/ttcr.cxx |   33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

New commits:
commit 568753f4d867c4681b762b63f9b1254f56865da4
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Sun Feb 27 12:05:38 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Tue Mar 1 18:09:21 2022 +0100

    ofz#45081 check font length
    
    Change-Id: Ib8cea70652ae90403db3546c07d24a517b1ec93e
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130635
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>

diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index b9839b727f40..d4ff5f413ede 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -1308,14 +1308,21 @@ static void ProcessTables(TrueTypeCreator *tt)
     do {
         GlyphData *gd = static_cast<GlyphData *>(listCurrent(glyphlist));
 
-        if (gd->compflag) {                       /* re-number all components 
*/
+        if (gd->compflag && gd->nbytes > 10) {    /* re-number all components 
*/
             sal_uInt16 flags, index;
             sal_uInt8 *ptr = gd->ptr + 10;
+            size_t nRemaining = gd->nbytes - 10;
             do {
-                sal_uInt32 j;
+                if (nRemaining < 4)
+                {
+                    SAL_WARN("vcl.fonts", "truncated font");
+                    break;
+                }
                 flags = GetUInt16(ptr, 0);
                 index = GetUInt16(ptr, 2);
+
                 /* XXX use the sorted array of old to new glyphID mapping and 
do a binary search */
+                sal_uInt32 j;
                 for (j = 0; j < nGlyphs; j++) {
                     if (gid[j] == index) {
                         break;
@@ -1326,20 +1333,32 @@ static void ProcessTables(TrueTypeCreator *tt)
                 PutUInt16(static_cast<sal_uInt16>(j), ptr, 2);
 
                 ptr += 4;
+                nRemaining -= 4;
 
+                sal_uInt32 nAdvance = 0;
                 if (flags & ARG_1_AND_2_ARE_WORDS) {
-                    ptr += 4;
+                    nAdvance += 4;
                 } else {
-                    ptr += 2;
+                    nAdvance += 2;
                 }
 
                 if (flags & WE_HAVE_A_SCALE) {
-                    ptr += 2;
+                    nAdvance += 2;
                 } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
-                    ptr += 4;
+                    nAdvance += 4;
                 } else if (flags & WE_HAVE_A_TWO_BY_TWO) {
-                    ptr += 8;
+                    nAdvance += 8;
                 }
+
+                if (nRemaining < nAdvance)
+                {
+                    SAL_WARN("vcl.fonts", "truncated font");
+                    break;
+                }
+
+                ptr += nAdvance;
+                nRemaining -= nAdvance;
+
             } while (flags & MORE_COMPONENTS);
         }

Reply via email to