[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - vcl/source

Fri, 04 Mar 2022 02:30:13 -0800 

 vcl/source/fontsubset/sft.cxx |   29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

New commits:
commit fa22782df698b6b6ab19d23b99d3e213e32da942
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Mar 3 20:28:28 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Mar 4 11:29:33 2022 +0100

    ofz: Use-of-uninitialized-value
    
    Change-Id: If10e8d2465ef6de62583f6547e3f68e92002f3f8
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130864
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index ec0272027d6c..a0416a01621c 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1464,31 +1464,46 @@ int GetTTGlyphComponents(AbstractTrueTypeFont *ttf, 
sal_uInt32 glyphID, std::vec
 
     glyphlist.push_back( glyphID );
 
-    const sal_uInt32 nMaxGlyphSize = glyflength - nOffset;
+    sal_uInt32 nRemainingData = glyflength - nOffset;
 
-    if (nMaxGlyphSize >= 10 && GetInt16(ptr, 0) == -1) {
+    if (nRemainingData >= 10 && GetInt16(ptr, 0) == -1) {
         sal_uInt16 flags, index;
         ptr += 10;
+        nRemainingData -= 10;
         do {
+            if (nRemainingData < 4)
+            {
+                SAL_WARN("vcl.fonts", "short read");
+                break;
+            }
             flags = GetUInt16(ptr, 0);
             index = GetUInt16(ptr, 2);
 
             ptr += 4;
+            nRemainingData -= 4;
             n += GetTTGlyphComponents(ttf, index, glyphlist);
 
+            sal_uInt32 nAdvance;
             if (flags & ARG_1_AND_2_ARE_WORDS) {
-                ptr += 4;
+                nAdvance = 4;
             } else {
-                ptr += 2;
+                nAdvance = 2;
             }
 
             if (flags & WE_HAVE_A_SCALE) {
-                ptr += 2;
+                nAdvance += 2;
             } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
-                ptr += 4;
+                nAdvance += 4;
             } else if (flags & WE_HAVE_A_TWO_BY_TWO) {
-                ptr += 8;
+                nAdvance += 8;
+            }
+            if (nRemainingData < nAdvance)
+            {
+                SAL_WARN("vcl.fonts", "short read");
+                break;
             }
+            ptr += nAdvance;
+            nRemainingData -= nAdvance;
         } while (flags & MORE_COMPONENTS);
     }

Reply via email to