vcl/source/fontsubset/sft.cxx |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

New commits:
commit f4e32af7450c4e6fa1063aec95ba9df49c055a3b
Author: Caolán McNamara <caol...@redhat.com>
Date:   Wed Feb 7 16:05:08 2018 +0000

    stay within font bounds
    
    Change-Id: Ie8ed610b71cb1b20963827c2be97155d2d8aa22c
    Reviewed-on: https://gerrit.libreoffice.org/49369
    Tested-by: Jenkins <c...@libreoffice.org>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index cfad36e35f64..c61c74b672dd 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1563,7 +1563,12 @@ static int doOpenTTFont( sal_uInt32 facenum, 
TrueTypeFont* t )
     /* parse the tables */
     for (i=0; i<static_cast<int>(t->ntables); i++) {
         int nIndex;
-        tag = GetUInt32(t->ptr + tdoffset + 12, 16 * i);
+        const sal_uInt32 nStart = tdoffset + 12;
+        const sal_uInt32 nOffset = 16 * i;
+        if (nStart + nOffset + sizeof(sal_uInt32) <=  
static_cast<sal_uInt32>(t->fsize))
+            tag = GetUInt32(t->ptr + nStart, nOffset);
+        else
+            tag = static_cast<sal_uInt32>(-1);
         switch( tag ) {
             case T_maxp: nIndex = O_maxp; break;
             case T_glyf: nIndex = O_glyf; break;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to