vcl/source/fontsubset/sft.cxx | 45 +++++++++++++++++++++++++++++++-----------
1 file changed, 34 insertions(+), 11 deletions(-)
New commits:
commit ec15218b322801e01e43a5879099d789875f8cc7
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Mar 1 09:15:40 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Wed Mar 2 12:52:08 2022 +0100
ofz: measure legal range from glyph offset, not table start
Change-Id: I04c1036e004be678b70a7df197141970aa3c8b16
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130750
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130826
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 867e00b47e0b..a5894f2f3e24 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -380,11 +380,11 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const
*ttf, sal_uInt32 glyphI
sal_uInt16 instLen = GetUInt16(ptr, 10 + numberOfContours*2);
sal_uInt32 nOffset = 10 + 2 * numberOfContours + 2 + instLen;
- if (nOffset > nTableSize)
+ if (nOffset > nMaxGlyphSize)
return 0;
const sal_uInt8* p = ptr + nOffset;
- const sal_uInt32 nBytesRemaining = nTableSize - nOffset;
+ const sal_uInt32 nBytesRemaining = nMaxGlyphSize - nOffset;
const sal_uInt32 palen = lastPoint+1;
//at a minimum its one byte per entry
@@ -638,8 +638,8 @@ static int GetCompoundTTOutline(AbstractTrueTypeFont *ttf,
sal_uInt32 glyphID, C
*/
static int GetTTGlyphOutline(AbstractTrueTypeFont *ttf, sal_uInt32 glyphID,
ControlPoint **pointArray, TTGlyphMetrics *metrics, std::vector< sal_uInt32 >*
glyphlist)
{
- sal_uInt32 nSize;
- const sal_uInt8 *table = ttf->table(O_glyf, nSize);
+ sal_uInt32 glyflength;
+ const sal_uInt8 *table = ttf->table(O_glyf, glyflength);
sal_Int16 numberOfContours;
int res;
*pointArray = nullptr;
@@ -650,14 +650,26 @@ static int GetTTGlyphOutline(AbstractTrueTypeFont *ttf,
sal_uInt32 glyphID, Cont
if (glyphID >= ttf->glyphCount())
return -1;
- const sal_uInt8* ptr = table + ttf->glyphOffset(glyphID);
- int length = ttf->glyphOffset(glyphID + 1) - ttf->glyphOffset(glyphID);
+ sal_uInt32 nNextOffset = ttf->glyphOffset(glyphID + 1);
+ if (nNextOffset > glyflength)
+ return -1;
+
+ sal_uInt32 nOffset = ttf->glyphOffset(glyphID);
+ if (nOffset > nNextOffset)
+ return -1;
+ int length = nNextOffset - nOffset;
if (length == 0) { /*- empty glyphs
still have hmtx and vmtx metrics values */
if (metrics) GetMetrics(ttf, glyphID, metrics);
return 0;
}
+ const sal_uInt8* ptr = table + nOffset;
+ const sal_uInt32 nMaxGlyphSize = glyflength - nOffset;
+
+ if (nMaxGlyphSize < 2)
+ return -1;
+
numberOfContours = GetInt16(ptr, 0);
if (numberOfContours >= 0)
@@ -1389,16 +1401,27 @@ int GetTTGlyphComponents(AbstractTrueTypeFont *ttf,
sal_uInt32 glyphID, std::vec
if (glyphID >= ttf->glyphCount())
return 0;
- sal_uInt32 nSize;
- const sal_uInt8* glyf = ttf->table(O_glyf, nSize);
- const sal_uInt8* ptr = glyf + ttf->glyphOffset(glyphID);
- const sal_uInt8* nptr = glyf + ttf->glyphOffset(glyphID + 1);
+ sal_uInt32 glyflength;
+ const sal_uInt8* glyf = ttf->table(O_glyf, glyflength);
+
+ sal_uInt32 nNextOffset = ttf->glyphOffset(glyphID + 1);
+ if (nNextOffset > glyflength)
+ return 0;
+
+ sal_uInt32 nOffset = ttf->glyphOffset(glyphID);
+ if (nOffset > nNextOffset)
+ return 0;
+
+ const sal_uInt8* ptr = glyf + nOffset;
+ const sal_uInt8* nptr = glyf + nNextOffset;
if (nptr <= ptr)
return 0;
glyphlist.push_back( glyphID );
- if (GetInt16(ptr, 0) == -1) {
+ const sal_uInt32 nMaxGlyphSize = glyflength - nOffset;
+
+ if (nMaxGlyphSize >= 10 && GetInt16(ptr, 0) == -1) {
sal_uInt16 flags, index;
ptr += 10;
do {
