[Libreoffice-commits] core.git: Branch 'libreoffice-6-0' - vcl/source

Caolán McNamara Thu, 08 Feb 2018 04:26:25 -0800

 vcl/source/fontsubset/sft.cxx |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)


New commits:
commit fa83c595e48d74d686b3ed894d3d4893d82975c9
Author: Caolán McNamara <caol...@redhat.com>
Date:   Wed Feb 7 16:05:08 2018 +0000

    stay within font bounds
    
    Change-Id: Ie8ed610b71cb1b20963827c2be97155d2d8aa22c
    Reviewed-on: https://gerrit.libreoffice.org/49370
    Tested-by: Jenkins <c...@libreoffice.org>
    Reviewed-by: Michael Stahl <mst...@redhat.com>

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index d69a6132d938..5c7929b76615 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1560,7 +1560,12 @@ static int doOpenTTFont( sal_uInt32 facenum, 
TrueTypeFont* t )
     /* parse the tables */
     for (i=0; i<(int)t->ntables; i++) {
         int nIndex;
-        tag = GetUInt32(t->ptr + tdoffset + 12, 16 * i);
+        const sal_uInt32 nStart = tdoffset + 12;
+        const sal_uInt32 nOffset = 16 * i;
+        if (nStart + nOffset + sizeof(sal_uInt32) <=  
static_cast<sal_uInt32>(t->fsize))
+            tag = GetUInt32(t->ptr + nStart, nOffset);
+        else
+            tag = static_cast<sal_uInt32>(-1);
         switch( tag ) {
             case T_maxp: nIndex = O_maxp; break;
             case T_glyf: nIndex = O_glyf; break;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-6-0' - vcl/source

Reply via email to